Practical approach to combating cyber crimes

Practical Approach
To
Combating Cyber Crimes
Chinatu Uzuegbu
CCISO, CISSP, CISM, CISA, CEH…….

Breaking News!!!
• Nigeria loses about N200b($709m) to cyber crime annually.
• In Nigeria, there was about 3,500(70%) successful Cyber attacks
which targeted the InfoTech space in the country including the
infrastructures of the government.
• Nigeria ranks 3rd
in the global internet crime after United Kingdom
and USA.
• Africa as a whole loses about $2b to Cyber crime every year as
reported in 2016.
• In the USA, the rate of Cyber breaches targeting Health Care
Organisations and the corresponding Electronic Health
Records(EHR) has increased from 0.63% before 2015, then 34% in
2015 and 90% as at today as Ponemon Institute reported.

• 2017 global Cyber Crime analysis revealed that the cost of
Cybercrime damages will increase from $3trillion as at 2015 to $6
trillion annually by 2021. This was reported by the Herjavec group
of Cyber Security Ventures.
• The global lost to cyber crime amounted to over $700 billion(N253t)
per year. and it is projected to rise to about $2 trillion by 2019, due
to the rapid digitization of consumer lives and company . The
number of incidents in 2016 grew by 38% as against the number
reported in 2015.“
• 2017 Cyber Crime analysis revealed that Cybercrime damages will
cost the world $6 trillion annually by 2021.
• According to Intel, ‘The Big Data Bang’ is an Internet of things(IoT)
worldwide technology that will explode from 2 billion objects (smart
devices which communicate wirelessly) in 2006 to a projected 200
billion by 2020.
Breaking News!!! Cont’d

• According to Gartner’s forecast, more than half a billion
wearable devices will be sold worldwide in 2021, up
from roughly 310 million in 2017. Wearable devices
include smart watches, head-mounted displays, body-
worn cameras, Bluetooth headsets and fitness
monitors.
• The Cyber Security Ventures also predicted in her 2017
report that there would be a global protection of about
300billion passwords by 2020.
• Nigerian hackers also participate in malicious activities
on the global cyber sphere such as the $3 billion heist
recently reported by the FBI that affected over 500
companies in over 50 countries including Germany,
United Arab Emirates (UAE), India and Russia.

• Ransomware costs rose the most between 2017–2018,
from $533,000 to $646,000 (a 21% increase) as
reported by The World Economic Forum. A loss of $24m
was reported before 2015 and as at first quarter in
2016, it increased to $209m.
• A malware, known as ‘Lazarus’ was used to
compromise and hack into over 200,000 banking and
financial systems in over 150 countries. It was reported
that the Malware originated from the Middle East,
mostly Syria, Iran and Kenya. Nigeria if not proactive
enough would soon be in the target list.

Why so Much Loss to Cyber Crime?
• The Cyber criminals run ahead of the emerging Technology to
exploit vulnerabilities.
• There is a consistent daily release of thousands of new
Applications inclusive of Desktop, Web and Mobile Applications
for different purposes.
• The malicious guys are steadily on top of their game taking
advantage of the Software and Application releases.
• This is Cyber age and there is nothing anyone can do about it,
virtually every aspect of life is riding on the Cyber, Internet of
things deployment has kicked-off . The malicious guys keep
threatening and gaining grounds.
• The rise of Cyber War is so drastic that If Nigeria does not rise to
combating Cyber Crime, the yearly loss could increase to
$trillion.

Why so much Loss to Cyber Crime... Cont’d
• Critical Information and Forums that should be highly
sensitive are in the Open.
• No Policies binding the management of Information ‘at
Rest’, ‘in Transit’ and ‘Discussed’.
• Unwarranted Monitoring and Undue Tracking Tools
have made both Personal and Corporate Information
Privacy nearly impossible.
• Sensitive discussions in the boardroom are circulated
across the globe even before the end of such meetings
with these unwarranted Monitoring Tools.

• No corresponding Security updates and tools to run with the
emerging Technology and in the long run the Security Policy
is not updated.
• Most Victims of Cyber attacks do not have a proactive
knowledge on how to secure their Resources.
• Unfortunately, The Cyber Security Professionals, the
expected Mediators and Supporters of the Business are few
in the market and not running with the high pace of the
attackers in playing their mitigating roles.
• Cyber Security is quite a new field and there is a general
knowledge gap
Why so much Loss to Cyber Crime... Cont’d

Practical Approach To Combating Cyber Crimes:
Objectives
• To minimise the ad hoc, chaotic and reactive approach
to securing the Critical Information Assets of
Organisations.
• To Promote a more proactive approach to securing
these critical Information Assets.
• To establish a clear and explicit approach to combating
Cyber Crimes.
• To assure Organisations that their investments on
Information Security could be transparent, measurable
and Value-driven.
• To understand the various Cyber Threats in line with
Counter Measures.

• Overview of Cyber Security.
• Identifying and Classifying your Information
Assets.
• Protecting your Information Assets.
• Determining The Ideal Security Measure.
• Combating Cyber Crimes 1(Social Engineering
Attacks).
• Combating Cyber Crimes 2(Others)
Practical Approach To Combating Cyber Crimes:
Outline

Overview of Cyber Security
The philosophy of The CIA
Triad

The CIA Triad
The journey begins here

The CIA Triad
• CIA is an acronym for Confidentiality, Integrity and Availability.
• It can be in any direction such as AIC triad or ICA triad.
• It is more like a triangle as they work together, each is as important as the
others in the triangle.
• The tour around the sphere of Cyber Security begins here and the journey
still continues.
• Cyber Security is an act of protecting and safeguarding the Critical
Information Assets of an entity to an acceptable level using the concept of
the CIA Triad.
• The Concept of The CIA Triad promotes Multi-Layered Security or Defence.
• The CIA Triad is more like a Framework that covers Security Policies,
Controls, Safeguards, Counter Measures, Threat Vectors, Security Processes
and lots more.

Confidentiality
• The act of ensuring that the entity’s critical Information
Assets are protected from unauthorised access and disclosure.
• Mostly referred to as the ‘secrecy Object’.
• The act of ensuring that risks prone to the loss or disclosure of
Critical Information Assets of an entity are reduced to an
acceptable level.
• A reasonable level of secrecy is enforced at each point of data
processing and at the same time prevents undue disclosure.
• Attacks against Confidentiality include shoulder surfing,
Password theft, undue Network monitoring, social Engineering,
breaking of encryption algorithms and others.

Integrity
• The act of ensuring that the entity’s Critical Information
Assets are accurate and protected from unauthorised
modification.
• Integrity promotes a level of assurance in three ways:
– Preventing unauthorised Modifications by
unauthorised party.
– Preventing unauthorised, unanticipated or
unintentional modifications by the Authorised party.
– Maintaining Internal and External consistencies.
• Attacks against integrity include alterations of data at
Rest and in Transit.
• The Integrity Controls include Hashing, Digital
Signatures, Authentication, Separation of Duties,
Acceptable Use Policy(AUP) and Others.

Availability
• The act of ensuring that the Critical Information Assets
are accessible to authorised party as and when required.
• The Information Assets include hardware, data, physical
facility, Software Applications, Web Browsers and
Applications, Network Infrastructures and others.
• The attacks against Availability include Theft, Denial of
Service(DOS), Distributed Denial of Service(DDOS),
Malwares, slow performance of resources, Low capacity,
low Bandwidth and others.
• The Availability Controls include system/hardware
redundancy, connection and transmission availability,
intrusion prevention Systems(IPS), restoration of services,
systems and Data, Business Continuity and others.

Assurance of Confidentiality, Integrity and Availability
• Drive the concept of the CIA Triad from Top to down level approach.( Senior level
Stakeholders from the various business and Technical Units should be involved).
• Identify and outline the Critical Information Assets of the entity.
• Classify each Asset based on the Value and Impact on the entity’s bottom line.
• Evaluate the Threats, Vulnerabilities and Impact using a Risk Management
Framework.
• Treat Risk by ensuring the ideal Controls, Countermeasures and Safeguards are
implemented and configured around the Asset.
• Always think Layered Security or Defence in-depth when implementing the
controls to ensure that the entity does not rely only on one safeguard and in cases
when one safeguard fails.
• The Countermeasures and Safeguards assure an acceptable level of
Confidentiality, Integrity and Availability around the Asset.
• Regular Review and update on the Risks would ensure ‘on top of the game ‘
culture.

Identifying and Classifying
your Information Assets

Identifying and Classifying your Information Assets:
Quotable Quotes
• The degree of Value you place on your assets
determines the level of protection you would
commit to such Assets.
• Think Value before Security.
• The Value you attach to anything in life would
either motivate or de-motivate you for respective
positive or negative actions towards that thing.
• The driving force or zeal exhibited on securing any
Asset/Resource is dependent on the Value
attached to it.

Identify and Classify your Valuable Asset:
What is an Asset?
• An Asset is any desirable and good quality item with
an exchangeable Value. It is an item of ownership
convertible into cash; total resources of a person or
business.
• An Asset is that data, application, System, Server,
Database, Financial Info, Mobile Phone, Laptop,
Network and communication Infrastructures, Goodwill ,
cash and others valuable to you as a person, corporate
firm and Government.
• The level of Value and Importance you attach to each
Asset classifies it as either high or Low.
• An Asset is highly valued if it is such that you cannot
do without. You would need to go the extra mile in
securing it from any form of attack or destruction.
Identifying and Classifying your Information Assets:
What is an Asset?

• Any successful Cyber Security program must
begin with Identifying your critical Information
Assets, that is, those Assets that keeps the Entity
running.
• This could be achieved using an Impact Analysis
and Risk Assessment Techniques, that is,
analysing how much loss the Entity would incur if
for any reason the Asset is no longer available.
• The impact analysis would ascertain a clearer
picture in identifying the actual Assets required.
Identifying your Information
Assets

• The next step after identifying your critical
Information Assets is to classify the identified Assets.
• The classification of each Asset is determined from
the result of the impact analysis done with the Asset
owners.
• All Stakeholders of the Assets supposedly members
of the Cyber Security Steering Committee would
analyse and classify the value of each Asset.
• The Classes of Value could be: Critical, High,
Medium, Low or as defined by the Committee.
Classifying your Information
Assets:
Identified? To what Degree?

Protecting Your Information
Assets

Protecting Your Information Assets
• On Identifying and Classifying your Information Assets, the
knowledge of the various Control Types and Techniques
required for protection of the Information Assets would then
apply following the concept of the CIA Triad earlier discussed.
• The Administrative, Technical and Physical Control Types are
the first Layer under the Umbrella of the CIA Triad.
• The Preventive, Detective, Deterrent, Recovery, Corrective
and Compensative granular controls under each Control Type
cover the second Layer under the Umbrella of the CIA Triad.
• Understanding the above concepts would help in building a
layered and seamless security measures or Controls around
your Information Assets.

Protecting Your Information Assets:
Administrative Controls
• The governance and operational procedures of the entity and
its environments right from inception.
• The frontline of the business comprising Policies, the
corporate image, the registered business name, website,
domain name, the philosophy of the business, Vision,
mission, culture, brand and overall values.
• The Human related processes including the employees
procedural manuals, job employment, Organisational
structures, termination and exits.
• The Administrative Controls address the various ways of
protecting the administrative Assets of the Entity.
• The Administrative Controls are the development and
publishing of Policies, Standards, Procedures and Guidelines,
the management of risk, background checks, terminations
and exits processes and other Security awareness programs.

Technical Controls
• The Technical(Logical) aspect of any Business or organisation
manages the Systems Infrastructures of the Business from
the Logical Point of view.
• The end to end architectural flow of each infrastructure is
managed here.
• The Technical Controls address the various ways of protecting
the Business Information Assets from the logical perspective.
• The Technical controls comprise the implementation,
maintenance and overall management of Access Control
mechanisms, Passwords, System and Online Resources,
Infrastructures, Configuration Management Database(CMDB),
the identification, authentication and authorisation
techniques and others.

Physical Controls
• The Physical aspect of any Business manages the
Facilities and their perimeters, the Business
environments, Car Parks, entry points as a matter of
fact all physical devices in the Business premises and
in transit.
• Physical Controls address the various ways of
protecting these facilities with a level of assurance
that the security measures are balanced with the
required techniques in the CIA triad.
• The Physical Controls comprise protecting, controlling
and monitoring the individual access to the facilities,
the environment, the perimeter of the facilities, the
various departments including the people, the
entrances, the Data Centre and others.

Preventive, Detective, Deterrent, Corrective, Recovery, Compensating and Directive
• The Administrative, Technical and Physical Controls could be directly or
indirectly applied in a layered approach with all or any of the required
Security Measures(Preventive, Detective, Deterrent, Corrective, Recovery,
Compensating and Directive).
• Preventive: The Security Measures that aim at blocking threats and
attackers from accessing and destroying the Information Assets. This
covers the Policies(Administrative), Access Controls(Technical), Perimeter
Defence(Physical) and others. Preventive measures are the first line of
approach in securing Information Assets.
• Deterrent: The Security Measures that aim at discouraging attackers
from exploiting the Information Assets. This includes High Feet Fence,
CCTV(Physical), Sanctions on Violations(Administrative) and Log-on
banners warning on system abuse sanctions(Technical).
• Detective: The Security Measures that aim at finding Security breaches
and the attackers at the point of exploiting the Information Assets and
stopping them from further exploits in cases that the preventive
measures applied were not effective enough. This covers all kinds of
monitoring(Physical) ,auditing and Logs, Intrusions(Technical ) and Policy
Violations(Administrative).

• Corrective: The Security measures that aim at timely resolution
of any damage or issue that led to system disruption or downtime.
• Recovery: The Security Measures that aim at restoring lost or
corrupted data. This covers Back-up data and plans.
• Compensating: The Security Measures applied in cases where
the ideal and supposed security measure seems more expensive
than the actual value of Information Asset.
• Directive: The Security Measures that are driven from the Top-to-
bottom management approach. In most cases they are mandatory
high level Management statements covering the Policies and
Standards as well as the Local regulatory standards and the
reputation of the Business.
• When two or more of the security measures are applied to
Information Assets, it is referred to as Layered Security promoting
the concept of Defence in-depth
Preventive, Detective, Deterrent, Corrective, Recovery, Compensating and Directive

Important Facts
• Prioritise your security measures based on the Classification
level and the criticality of the Information Assets.
• In most cases the security measures firstly applied on the
most highly classified Assets would automatically cover
the other Assets in the medium or lower classification
levels.
• You must have a clear understanding of the ideal security
measures to be applied on each Asset, Vulnerability
Assessment is required here.
• Ensure that the cost of Security measures applied on each
Asset is not more than the actual cost or value of the
Assets, seek for a compensating measure at this level.

Important Facts Cont’d
• The Security measures must align with the Business
Objectives of the Asset Owner and must not in any
way hinder the business.
• All Stakeholders which cuts across the Business
Owners , IT , Systems Security , Internal Control and
other necessary key Officers must be involved in
determining the ideal security measures and it must be
driven by the Top level Management.
• Cyber Security is the overall responsibility of everyone.
• Some Information Assets could be protected by
applying any, some or all of the Confidentiality,
Integrity and Availability principles pending on the
criticality of the Information Assets.

Determining The Ideal Security
Measure

Determining The Ideal Security Measure
• On understanding and good knowledge of the Controls
and Security Measures, then, determining The Ideal
Security Measures would apply.
• The Measures of protection could be ascertained using
some Vulnerabilities/Risk Assessment Methodologies.
• The Concept of Vulnerabilities, Threats and Risks would
apply extensively.
• The concept of overall Risk Management would also
apply.
• The cost of each Security measure with the actual
value of the Assets would apply
• A little Math would also apply here but nevertheless it
would not be much of a bother.

Determining The Ideal Security Measure:
Vulnerability
• A Vulnerability could be defined as a weakness or looseness.
• An Asset or any object could be seen as vulnerable if there is an element
of weakness around that Asset.
• The weakness could be in form of an opening, exposure or something
important lacking on the Asset.
• There is an element of visible and invisible vulnerabilities surrounding
every newly installed or procured Asset.
• It is a good practice to pro-actively outline the vulnerabilities around an
Asset immediately after identifying it as Critical for your Business.
• In Cyber Security, it is important to start your Risk Management process
with a Vulnerability check list around the Asset.
• For example, a Critical Server Operating System(Asset) with no Anti Virus,
no updated patches, weak log-in password, easily accessible by
unauthorised parties, no Uninterrupted Power Supply(UPS) plug-in and
other weaknesses surrounding the Asset is seen as highly Vulnerable.

Threat
• A Threat is that point at which the vulnerability is seen as a danger
that could be exploited by the bad guys(hackers, criminals, attackers,
others) known as Threat Agents.
• For example, some of the Critical Operating System vulnerabilities
outlined in the previous slide could cause so much harm on both the
Asset and the business if exploited by the bad guys(Threat Agents).
• The bad guys(Threat Agents) could take advantage of the fact that
there is no Anti-Virus program on the system and get it infected with
Virus(Threat).
• Malware infection on a Critical System could be disastrous and
negatively affect the Confidentiality, Integrity and Availability
principles of Security.
• An Asset could be Vulnerable but with High or minimal Threat, it all
depends on the scenarios around the vulnerability and the probability
of Impact.

Risk
• Risk is the probability or likelihood that a Vulnerability
could be exploited with a Threat by a Threat Agent.
• Following our Critical Operating System example, one of
the vulnerabilities is that of weak log-in Password which
could be easily guessed and attacked(Threat) by the
Threat Agents.
• The Probability or likelihood that actually the weak Log-
in Password(Vulnerability) could be exploited with
guessing attacks(Threat) by the Threat Agent is
referred to as Risks.
• It is this level of certainty or probability that now
determines whether the risk is high, low or insignificant.

• If the Risk is high, a Security Measure which at this point is
referred to as a Counter Measure or Safeguard is proffered.
• As discussed in the previous Nugget, the weak Log-in
Password is a Vulnerability that falls under Technical
Control which could breach the three basic principles in
the CIA Triad.
• The Security Measure (Counter Measure) would be a
Preventive Technical Control which is tailored down to a
stricter Password Management approach.
• We would be looking at Risk from various perspectives in
the subsequent slides.
Risk Cont’d

Risk Equation
• Risk= Vulnerability * Threat * Impact
• Impact is the consequence of the Threat exploiting the
Vulnerability.
• The Risk Equation assists us to understand the Risk
level of a Threat exploiting a vulnerability on an Asset.
• For example, the Critical Operating System’s missing
patch(Vulnerability) could lead to unauthorised
access to the system and other Applications on the
System(Threat) and the consequence could amount to
theft of data and so many others(Impact).
• The Risk Equation would assist us to determine the
Risk Response, that is if the Risk should be mitigated,
Accepted, Avoided or transferred to Insurance.

Risk Responses
Risk Response is a process of determining a suitable
Counter Measure to be applied on the Asset. The four
basic Risk Responses are:
• Mitigate: Reduce Risk to an Acceptable Level and with
the right protection Mechanism to maintain it at that
level.
• Accept: To take the Risk as it is probably due to a
minimal or insignificant likelihood.
• Avoid: Not to do anything that is causing the Risk.
• Transference: To involve a Third Party Insurance on
the Assets especially when the cost of Counter Measure
is unbearable to the Business.

Risk Analysing Types
We have two types of Risks generally:
• The Quantitative Risk Analysis: A process of
calculating Risk using numerical and monetary values.
The quantitative Risk Analysis takes into consideration:
– The Asset Value (AV): The cost of the Asset, the man hour and
cost of labour.
– The Exposure Factor of Asset(EF): The level of Exposure
– The Single Loss Expectancy(SLE): The value of loss expected
on an event disruption. (AV *EF)
– The Annual Rate of Occurrence(ARO): Frequency at which the
disruption could occur in one year.
– The Annual Loss Expectancy(ALE): The value of loss expected
in one year. (SLE*ARO).
• The Qualitative Risk Analysis: A process of calculating
Risk using determined scenarios that could be subjective
in nature.

Cost of Counter Measure vs Value of Asset
• Recall that the Cost of Counter Measure should
not be more than the value of Asset. It is
advisable that you use a compensating control at
that point.
• After you arrive at a Counter Measure using the
Risk Equation and Risk Analysis, it is a good
practice to evaluate the cost of Counter Measure
and ascertain that it is not more than the Value of
the Asset.
• To achieve this:
Cost of Counter Measure = Annual Loss
Expectancy(ALE) before Counter Measure-Annual Loss
Expectancy(ALE) after Counter Measure-Annual Cost
of Counter Measure.

Risk Management Frameworks
It is a good practice to run your Risk
Management and Analysis using any of
the methodologies.
• NIST Sp 800-50
• FRAP
• OCTAVE
• FMEA
• Others.
Kindly do a search on each of the
frameworks and apply accordingly.

Important Facts on Risk Management
• Information Risk Management is the responsibility of the Business Unit
or Group Managers even though it has to be in support of the Top Level
Management.
• Risk Management focuses on reducing risk to a level acceptable by the
Business and with the right mechanisms to maintain that level.
• Risk Management would help to ascertain the most cost effective,
relevant, up-to-date, ideal and resilient Counter Measure on a given
Asset.
• The right countermeasure would eliminate the Vulnerability and Threat
but cannot eliminate Risk and the Threat agent. The Asset would be
protected by reducing or mitigating Risk and preventing the Threat
Agent from exploiting Vulnerabilities around the Asset.
• There would always be some elements of risk left after applying the
Counter Measure. This left-out Risk is referred to as Residual Risk.

Combating Cyber Crimes 1
(Social Engineering)

Combating Cyber Crimes 1:
• With a good understanding of the Vulnerabilities, Threats and the
Risks that the Vulnerabilities could be exploited and threatened,
the knowledge of the various Cyber Threats/Crimes and the
corresponding Security Measures to combat them is important.
• The Security Measures could be preventive, detective, deterrent,
Corrective, Restorative, Compensative and Directive.
• The aim of the Security Measures is to assure that the Assets are
protected with adequate measures of the Confidentiality, Integrity
and Availability(CIA Triad) as the case may be.
• The Threats are categorised into Social Engineering and Others
inclusive of Denial of Service, Malwares, Breaches on Unauthorised
Accesses, Perimeter attacks, breaches, Weak Authentications,
Outbound and Inbound intrusions, Zero-Day and Others.
• The Threats with their corresponding Counter Measures are
detailed in the subsequent slides.

Social Engineering Attacks
• Social Engineering Attack is a way of being tricked by an Attacker to collect
sensitive information from a Victim.
• It can be referred to as a way of using legitimate means such as company’s website
to innocently launch an illegitimate website by clicking on a link in the company’s
website.
• Social Engineering attacks do not require any technical know-how but little skills in
tricking and playing on the intelligence of the victim.
• Social Engineering Techniques is one of the easiest ways that an attacker gains
access to an unauthorised information, in fact it has been steadily reported that
Social Engineering attacks are the most common and successful Cyber attacks as
they cover about 91% of the Cyber attacks.
• It is important that in Cyber Security, no one should be trusted, a little psyching by
any un-assumed hacker could unleash highly sensitive information into the hands of
the Attacker.
• It is also important to note that human(employees) are the weakest link in Cyber
Security, they could be used and brain washed at any point in time.
• Social Engineering Attacks include: Phishing, Spear Phishing, Pharming, Dumpster
Diving, Shoulder Surfing, Watering Holes, Pretexts, Tailgating or Piggybacking,
Whaling Baiting, Quid Pro Quo and Others.
• We would discuss each of these attacks and their corresponding Counter Measures
in the subsequent slides.

Phishing and Counter Measures
• Phishing is an act of using emails, messages and any form of communication
media to trick a victim into supplying personal information by clicking on a
malicious link in the email.
• The personal Information supplied would then be used by the attacker to infer
information such as Log-in details which they would use for other malicious acts
against the Victim. The information could be used to extract information from
the Social Media.
• The personal information could be the Credit/Debit card details of the Victim,
the names of the Victim, the company details such as IP address and others.
• The messages and emails are composed in such a tricky manner that the Victim
would not have any choice than to be deceived into feeding in the requested
Information. In most cases the attackers would use well known details of the
company such as the domain name to get the victim more enticed.
• The attackers in most cases would use a short web address or embed links to re-
direct victims to the malicious site hosting scripts that would trigger further
attacks and exploits.
• The main Counter Measure on Phishing attacks is Training and Security
Awareness Courses.
• It is advisable to use Phishing campaigns to drill staff on the level of Security
knowledge acquired.
• Downloading Attachments or clicking on links on such emails should be avoided.
• The company should deploy spam filters and firewall to filter out such emails and keep
away from employees reach.

Spear Phishing and Counter Measures
• Spear Phishing Attack is more like the Phishing attack but this time more
targeted and focused on a highly privileged employee of the company such
as the CEO/Managing Director.
• The scenario is to get some information about that highly profiled Executive
and then use the details to impersonate the Executive to get a more
targeted information for malicious intents.
• The Counter Measures on Spear Phishing still boils down to Security
Awareness.
• Ensure an adequate non-disclosure undertakings are in place with all
employees of the company.
• Employees must be trained to question and validate unprompted links by
calling the sender, sending a separate follow-up email or checking via
services such as https://
• Do thorough background checks on the help desk Team or the Team
members working with the highly profiled Officer such as the CEO/MD and
others. A more targeted Non-disclosure undertaking should be done with
each person on assuming duties.
• Use Spear Phishing drills to test the level of knowledge of each staff.
• A level of consciousness and smartness in discerning directions of un-
assumed attackers both in Phone conversation and others.

Dumpster Diving And Counter Measures
• Dumpster Diving is a process of gathering unauthorised company
Information from the garbage bin or trashed can for the purpose
of using for either a malicious intent or to disclose further to an
unauthorised third party.
• The brain behind dumpster diving could be to source information
for benchmarking or competing with another company. It could be
an avenue of granting customer information to the competitor for
all sorts of malicious intents.
• Dumpster Diving in most cases is seen as legal but could be
unethical. This could be because the information gathered in most
cases are discarded and trashed.
• Some consequences of Dumpster Diving could be to reduce
customer base, destroy the image of the company with the
information the attacker could have gotten.
• To Counter Dumpster Diving, always ensure you engage your
paper shredders. Shred your discarded hard copied information , it
does not really matter whether they are deemed sensitive or not,
just imbibe shredding as part of Corporate culture.

Watering Holes and Counter Measures
• Watering Hole Attack is a more focused and sponsored attack, the
attacker takes time to study the website of the targeted company for
vulnerabilities with the intents of injecting malicious codes into the web
pages of the website.
• When the Users of the victim company launch the pages of the website as
their usual job routine, the Malicious codes inserted would trigger Trojans
which would spread like a botnet to other systems on the network.
• The Attacker uses this as a way of exploiting unknown vulnerabilities
detected by the Attacker.
• The Potential Victim System that is used to spread the Trojan is known as
Watering Hole.
• The consequences of Watering Hole is that the Vulnerability is a Zero-
day(unknown) and would be difficult for the Victim Company to find their
footing back from the diffused Trojan.
• To Counter the effect of Watering Hole, you ensure your systems are
updated at both application and Operating System levels. Most Updates
could bypass such Zero-day attacks.
• Security Awareness is also a key here, the attackers target the careless
and weak Users and use them to trigger and spread the malicious codes.
• Carefulness and Non-disclosure of Log-in credentials should apply here.

Tail Gating(Piggybacking) and Counter Measures
• Tailgating, also known as Piggybacking is a process where an attacker or
unauthorised Person tries to use the entry access right of an authorised
Person to gain entrance into a building or an Office.
• The Unauthorised Person would in most cases pretend to be in a haste or
carrying a heavy load and try to persuade the authorised Person to hold
the door for him/her to join.
• The Authorised Person in turn would play an innocent pity partying game
and eventually allow the unauthorised entrance into the building or Office.
• The Consequence is that the Unauthorised Person would gain an
unauthorised access into the building and then launch his malicious intent
thereof. It could be to steal or to get information from the innocent
employees.
• To Counter Tailgating attacks, use dead man doors that would only
admit entrance to one person at a time.
• Security Awareness is another key, employees should ensure that look
back and sides before such entrances.
• Electronic doors with finger print access rights or swipe cards should also
be promoted, with this employees could easily be tracked and cautioned
when allowing unauthorised accesses.

Pretexting and Counter Measures
• Pretexting is a process where the Attacker uses partial scripts or an articulated
scenario to pretend and deceive the Target User(Victim) to get further information
that would make up the Attacker’s script and in turn grant the Attacker unauthorised
access.
• In Pretexting, the Attacker takes his time in building access script, manipulating the
Victim with reasons to grant them the remaining information that would eventually
land them to accessing their target system or building.
• The intention of the Attackers is to have access to sensitive information by
pretending to be an authorised User or Vendor.
• The Attacker could impersonate himself probably as an External IT Vendor or a
reputable agency and manipulate the Victims into believing the intents of the
attacker is pure.
• The Attacker could also try to get information of the Target Server and the necessary
details Online and use the information to access the Server online and then further
launches attacks.
• A good example is the case of attackers pretending to be representatives from a
Modelling agencies and escort services requesting nude pictures of the Victims who
happened to be girls, deceived them into thinking they were doing them a sort of
good but only for these bad guys to use the nude pictures for pornography and other
evil acts.(
https://www.washingtonpost.com/news/the-intersect/wp/2014/10/07/forget-celebgate-
hackers-are-gunning-for-the-nude-photos-of-ordinary-women-and-underage-girls/?utm
_term=.7e42bd145640
).
• The Consequence of Pretexting is Information Theft that could further affect the

Baiting and Counter Measures
• Baiting is another form of tricking employees and individuals into allowing the
Attacker unauthorised access to the systems through offering of a gift.
• A Baiter could promise to offer a Victim a gift if the Victim supplies his Log-in
details to a link provided by the Attacker. The gift could be to download a
promising Mobile App or Music.
• The aim is to use gifts to entice the Victim into acquiring an unauthorised
information.
• A good example is that of attackers that pretended to be promoting their
customised USB devices but in the USB device is a malware script embedded in
a well designed image in such a way that when the image is launched, it triggers
the malware script which would in turn send the details of the Victim’s system
including the Password and the Name of the System to the email address of the
Attacker. As many that got the USB devices as a gift would supposedly launch
the embedded script and had their systems details sent online to the Attacker.(
http://web.archive.org/web/20060713134051/http://www.darkreading.com/docu
ment.asp?doc_id=95556&WT.svl=column1_1
).
• The consequence of Baiting is to gain undue information that would be used
to launch a more targeted and dangerous attack.
• To Counter Baiting Attack, Users should be trained on Integrity, security
consciousness, perimeter defences such as Firewalls. It is important to update
the Anti Virus Software on the systems.

Quid Pro Quo and Counter Measures
• Quid Pro Quo is more like Baiting but with the promise of a service or
benefit from the Attacker after the Victims must have innocently granted
them undue Access.
• The Attacker could pretend to be an IT Service Provider that would deceive
the Victim with IT support in his mind.
• The Victim would further be deceived into uninstalling authentic systems such
as Anti Virus from the Victim’s System with the Attacker’s Malware or
fraudulent System as a guise for an Update.
• The Quid Pro Quo Attackers could talk the Victims into disabling their Anti
Virus Software.
• The Consequence could be fraudulent and lead to absolute shut down of
systems.
• To Counter Quid Pro Quo attacks, Users should be conscious and promote
a level of culture of integrity and refuse to be enticed with benefits of any
kind just to gain a service.
• Companies should engage Service Providers and ensure the servicing of the
systems are restricted to them.
• On no condition should unauthorised external Parties be allowed to work on
individual systems.
• Un-disclosure undertakings should be highly in place.
• Security Awareness and Training cannot be over-emphasized.

In Summary
Most Common Social
Engineering Cyber Crimes
• Phishing
• Spear Phishing
• Dumpster Diving
• Tail Gating or Piggybacking
• Watering Holes
• Pretexting
• Baiting
• Quid Pro Quo
• Whaling
• Shoulder Surfing
• Others
Social Engineering Counter
Measures
• Social Engineering Counter Measures are more or less
applied from the same perspective.
• The Counter Measures are mostly preventive.
• Adequate Training and good Integrity Culture driven
employees would mitigate Social Engineering attacks
faster.
• Users should focus on using more secured web sites
with https:// and not Http://.
• Users should be drilled on Phishing Campaigns to
enable easy assessment of their Cyber Security
Consciousness.
• Companies/Users should run with up-to-date security
Policies, Patches, Anti Malware.
• Human wing is the weakest link in Cyber Security, Un-
disclosure Undertakings and necessary background
checks should apply.
• Other Layers of Security and the Concept of Defence in
depth should also apply in cases where the attackers
could breach the preventive layer of the security
Measure.
• Spam Filters, Mail Relaying , Firewall and other Counte
Measures should also apply.
• A level of Sanction should apply in cases of breaches

Combating Cyber Crimes 2
(Others)
Stop! Think! Connect

• The other Cyber Threats are discussed here.
• These include Authentication Attacks, Password
Attacks, Malwares, Patch Update Issues,
Disgruntled Employees, Denial of Service
Attacks, Distributed Denial of Service Attacks,
Encryption Issues, Social Media, Mobile Gadgets
and others as the case may be.
• The consequences and Countermeasures are
discussed accordingly.
Stop! Think! Connect

Malwares
• A Malware is a malicious code written by the attackers to infect and corrupt the
System, its Applications and files.
• The Hackers aim at profit, that is monetary gain, damage , theft of confidential
Information and in some cases just for the fun of seeing their codes doing as
instructed.
• The Types of Malware include Virus, Worms, Trojan, Ransom ware, Polymorphic,
Kiddies Script and others.
• Virus: Malware program that infects the System and its Applications and then
replicates to other systems in the network with the help of a trigger which could be
in form of an application or another program. The Virus cannot function on its own,
a click , user or application launch intervention is needed for it to function and
replicate.
• Worm: Malware program that infects and replicates itself to other systems on the
network without any form of Intervention.
• Trojan: A program or an application with Malware codes embedded in it. The
original intent of the User is to install an application probably meant for games or
Music only to realise after installation that it came with some Trojans that would in
turn infect the application files. It is a deceptive malware and unfortunately it is
spreading like wild fire. Most Current Malwares are embedded in legitimate
applications or email attachments.
• Ransomeware: Ransomeware is a malware program that would infect the system
and files, encrypt/lock them and call the Victim to pay a ransom before the files
could be released. Ransomeware has really gained a steady growth since 2013. It

Malwares: Counter Measures
• It is important to note that Malwares are the easiest ways of infecting the systems,
gaining unauthorised access and all kinds of information theft. Other attack types
use Malwares in most cases to trigger attacks. Social Engineering Malwares would
be hiding inside the phishing email attachment, Denial of Service would use
Malware to flood and slow down the systems.
• It must be ensured that a Safeguard is consistently in place that would be ahead of
Malwares.
• Individuals or Businesses should subscribe to an Anti-Virus Vendor with a payment
plan, not to download without charges. Most free online Anti-Virus programs come
with some malicious codes or scripts.
• Ensure you download and run Anti- Virus updates on daily basis.
• Train Users to report anomalies on Systems and Applications especially on unknown
vulnerabilities not experienced earlier by any User.
• Scan and preferably disable USB drives from the system.
• Ensure, there is always an updated policy on Bring Your Own Devices(BYOD),
otherwise do not promote BYOD into your premises, it could be dangerous.
• Harden your configuration settings to make it difficult for any unauthorised access.
• If the Malware is the type that would collate and transmit information to an email
address, there would be need to configure your SMTP(Simple Mail Transfer Protocol)
to relay against Spam both inbound and outbound.
• Update, Update ,Update , keep updating on daily basis especially on your critical
Systems.
Think, Stop, Connect

Identification, Authentication and Authorisation Attacks
• Identification is a claim made by an entity or a person. It could
be a User Name, User Id and others.
• Authentication is the process of validating the claim made by
an entity or a person as an identification.
• Authorisation is tailored around granting access rights and the
level of access right granted to an authenticated entity or
Persons.
• It becomes a Threat when an unauthorised entity or Person
accesses a confidential information on the online system.
• There are so many vulnerabilities centred around the
authentication of entities and persons.
• Passwords have been the most common authentication
attribute and seen as the weakest in the line of authentications.
• As attacks keep emerging and the bad guys keep exploiting
vulnerabilities, it became obvious that just User Name(ID) and
Password are not enough to authenticate an entity especially on
critical transactions such as Electronic Payment Systems.
• This led to the introduction of Multi-Factor Authentication

Multi Factor Authentications
• There are three types of Authentications: Something You know(Password),
Something You have(Smart Card) and Something You are(Biometrics).
• Due to the high rate of Cyber crimes emanating from unauthorised
accesses, it was mandated that a combination of any of the two types of
Authentication(Two Factor Authentication) or all three types of
Authentication(Multi Factor Authentication) should apply when transacting
online or logging into any critical system.
• The Multi Factor Authentication is proven to be the best Counter Measure
against Authentication loop holes.
• Biometrics(Behavioural and physical attributes of a person) which is seen
as something you are proves to be the best and more secured
Authentication type since it cannot be impersonated but still not
considered as the best if it is not combined with any or two other
Authentication Types.
• A good example is on electronic banking transactions, you first log-in with
your User Id and Password, then a token or One Time Password for
verifications.

Combating Cyber Crimes2:
Password Weaknesses
• Password is a string of characters required for Authenticating a
person to access a Resource.
• Password is seen as ancient, most commonly used and weakest
form of Authentication. It belongs to the Something you know in
the types of Authentications.
• Passwords are prone to series of attacks such as Guessing(Brute
Forte), Searching from a list(Dictionary) and Table Look
ups(Rainbow Table) attacks.
• The aim of each of the Password attacks is to crack the password
and gain an unauthorised access to Information Assets and
Resources.
• Passwords that could be easily guessed, seen in a list of words such
as your birth date and looked up on a search could be easily
cracked.
• Kindly visit this site on the New Password Guideline from NIST(
National Institute of Standards and Technology).
• http://searchsecurity.techtarget.com/answer/What-new-NIST-
password-recommendations-should-enterprises-adopt
Stop, Think, Connect

Passwords Management
• To ensure your Password is not easily guessed or accessible by the bad guys
who could be sitting by your side, some restrictions have to be applied and
enforced.
• Your Password must be a minimum of 12 characters with a combination of
numbers, Block and Small letters with some special characters such as
Symbols(#.@.!).
• The Password must be a word that you would easily remember as the owner
but quite difficult for any one to guess and crack. A good example could be
‘C@t0!K1A’, this is a combination of CAT and KIA with interwoven symbols and
attributes. Just an example please.
• You must not write down your password on paper or the screen of your
System .
• No one should have access to your password in your absence as a way of
accessing your files, the password Management Team should work on various
possibilities around such bottle Necks.
• A domain Controller or Active Directory kind of Architecture would promote
another User to log on to any other system on the domain but may require
certain Application privilege on the other User’s system.
• There should be a Password Un-disclosure undertakings for businesses.
• Vendors should have a temporary password that is time-bound and expires
each day of Log-in.

Patches/Updates Issues
• A Patch is any program that is written with the view of correcting
errors or vulnerabilities existing on the System, it could be
Operating System or an Application.
• It is a good practice to always run a weekly vulnerability scan on
the entire systems on your network with timely remediation in
mind.
• It is also a good practice to check for System Patches and updates
on daily basis.
• Ensure Critical Updates are tested on your Lab Platforms before
deploying on the Live Systems.
• Deployment of Updates should not be at the peak of the business
time. It should be preferably on weekends for businesses that do
not run at peak during weekends.
• Vulnerability Scanners such as Nessus, OpenVas and others are
useful tools for vulnerability scanning across the network.

Zero-Day Issues
• A Zero-day Vulnerability is an unknown error that could be
exploited by the attacker.
• Zero Day Vulnerabilities are mostly experienced on newly designed
applications, the bad guys are always busy in search of zero day
vulnerabilities.
• Users including Mobile Application Users should always be quick to
report any issue related to error or a form of security concern to
the Vendor of the Application. This could be an avenue for the bad
guys to exploit if not reported on time.
• It should be noted that there is no new system that does not have
or come with such vulnerabilities, the earlier it is detected by
Users of the System, the better for all Stakeholders.
• Once such errors are detected and reported to Vendors, please
follow up on them for a timely and prompt patch for remediation.
• Consistent running of system Updates could evade Zero-day
Attacks. Stop, Think, Connect

Denial of Service/Distributed Denial of Service Attacks
• Denial of Service Attacks are series of malicious services targeting the Availability of the system.
• The aim is to deny due access to Information Assets or prevent Users from working on their systems.
Denial of Service Attacks include:
• Spoofing: Malicious impersonation of a System User or Device on a network. The intent is to steal data, launch attack against the
Victim’s Network, Inject Malwares into the Victim’s System or for undue access into the Victim’s platform.
• SYN Flood: Malicious over flood of the Victim’s System with a succession queue of SYN(synchronisation) requests until the system
becomes unresponsive and unavailable.
• Teardrop: Malicious sending of fragmented Packets(chunk of data) to the victim’s system until the packets begin to overlap one
another as they cannot be re-assembled. The Victim’s Network Infrastructure crashes in the long-run.
• ICMP echo/Ping Flood:, Malicious overwhelm of a Victim’s System with ping requests or Internet Communication Messaging
Protocol(ICMP) echo requests until the system goes down.
• Ping of Death: Malicious sending of malformed IP Packets to the Victim’s System until the system shrinks and crashes.
• Smurf: A distributed Denial of Service Attack that keeps sending bogus ICMP requests with spoofed source IP address of the
victim in such a way that the Victim’s Computer network gets confused and is rendered inoperable.
• Fraggle: This is more like a smurf attack but instead of sending bogus ICMP requests, it broadcasts UDP Traffics with Spoofed IP
address of the victim using UDP 7 and 19.
• Botnets: A collection of malicious or infected Computers/devices on the Internet being controlled by an attacker for further
attacks such as thefts, leakages, undue accesses and others.
• Man-in-the Middle: An act of interception of communication sessions in between two or more Parties. IBM X-Force's Threat
Intelligence Index 2018 says that 35 percent of exploitation activity involved attackers attempting to conduct MiTM attacks. An
example of MITM attach is session Hijacking.
• Most denial of service(DOS) attacks could be inbound(traffics coming from outside the network) or outbound(Traffics going outside
the network from inside).
• Distributed Denial of Service(DDOS) attacks would deny Users access from two or more systems with floods of attacks against the
User.
• Both DOS and DDOS could be likened to a group of individuals sitting on a web application, the network of an Internet Service
Provider to ensure maximum downtime and lack of service to customers. Most are being paid to run down the services of a
competitor.
• In most cases, the systems are being slowed down due to flooding of requests without stop, probably IP requests which would end
up fragmenting and killing the system or network as the case may be.
• End Point and layered Security is the best approach to Denial of Service attacks. Preventive measures, Firewalls, Intrusion
Detections, Intrusion Preventions, Penetration Testing, Hardening of Configuration Settings, Updated patches and Anti-Malwares,
adequate IP addressing techniques(both for outbound and inbound networks), Demilitarized Zones, Reconnaissance, Finger Printing
, adequate Back-up plans would go a long way as Counter Measures against DOS and DDOS.

Combating Cyber Crimes2:
Disgruntled/Exited Employees
• Employees of any Business are seen as the source of major attacks and theft on the
platforms of the Business Firm.
• Most Employees are disgruntled probably feeling cheated and neglected by the
Management of the business.
• Those that have stayed for years without promotion, no reward on hard work, some
that came into the business as bad and notorious and others, may find it difficult
promoting the cause of the business.
• Exited Employees on the other hand would be more aggressive and do the worst
with any little privilege to access any platform.
• It is therefore important to ensure adequate Security Policies, Standards, Guidelines
and Procedures are in place before employment, on the employment and on
termination of appointment.
• A Background check before employment is paramount, establish a due policy on
Terminating Processes.
• The employee’s logical access rights must be disabled, The Systems Admin Team
should ensure this is done seamlessly with no stone left unturned.
• It is the best practice for companies to deploy a Single Sign on Platform in order to
reduce the Administrative bottle necks that could pose a challenge on managing
employees accesses.
• The remuneration should be impressive and transparent to all Stakeholders.
• Employees should be forced to sign undertakings on assumption , on the job and
termination stages.
• Sanctions should be tied to any Violation whatsoever.

Mobile Phones and Applications
• Mcafee reported as at the first quarter of the year 2017 about 6 million Mobile Malware
targeting the various Mobile Operating Systems especially Apple, iOS and Android.
• There is a tremendous increase on Mobile Device breaches.
• The Table in the next slide shows a table of Malware Threats on Mobile devices.
• Aside the tabulated attacks, BlueSnarfing(Theft of Mobile wireless Information through
Bluetooth connection), Blue Jacking(Sending of unsolicited messages from a Bluetooth to
another Bluetooth devices such as Mobile Phones, PDAs, Tablets and others), and
Eavesdropping(Silent listening of voice conversations made on phones).
• The rate of unwarranted remote monitoring is at an alarming rate using Mobile Devices. The
bad guys have gone as far as installing a persistent tracking and surveillance software on their
mobile devices for all round the clock monitoring.
• Breaches on Mobile Apps could go on and on as the rate of abuse is innumerable, pornography
is being highly promoted via Mobile Gadgets.
• It is also reported that the security around the Mobile devices is becoming more difficult but
there would always be a way out.
• Users should always change the default settings on buying any device.
• Subscribe to the Phone Manufacturer’s Logging and Phone Tracking features in cases of lost.
• Encrypt and always back up your Mobile data, the bad guys would find it useless if they
succeed with stealing.
• Never relent on running updates on the Operating Systems and various Apps as the case may
be.
• Always protect your gadget with a Pouch.
• Use screen locks and PINs to prevent unauthorised accesses.
• Don’t settle with the Default Settings unless it covers your security concerns. It is a good
practice to change default settings.

Threats on Mobile Gadgets and Apps

Advanced Persistent Threats
• Advanced Persistent Threat is a kind of threat that grants the criminal an
unauthorised access to your Information Assets perpetually without notice.
• The Attacker tarries on the system for a long time once an unauthorised access is
gained on the System.
• The unauthorised Access could be gained through social Engineering attacks.
• The intent is to steal company data for monetary gain not for damage.
• An initial access could be gained through Social Engineering, the attacker quickly
uses the access granted to fetch more useful log-in information of other Users and in
the long run creates a back door on the system.
• He could be transmitting outbound Data on daily basis and still go unnoticed.
• Most successful Advanced Persistent Threats are driven from Insiders. They apply
further threats such as Data Diddling(unauthorised manipulation of data while
inputting the data into the system ) and Salami Techniques(unauthorised process of
slicing insignificant figures by System Users until it accumulates to a large sum)
unnoticed.
• End Point Security, Intrusion Detection and Prevention should apply here even though
they may not be evaded and traceable on time.
• Anomalies on the Outbound data could alert the Network team.
• Everything still boils down to Layered Security, end-user training and awareness.
• An unauthorised access granted unduly, could be fatal and difficult to detect because
the access was through a legitimate User.
• Logging and Monitoring events would also go a long way.

Employees Collusion
• Employees Collusion is a process where two or more employees with different levels
of Access Rights would agree to join their access rights to enable them commit
fraud on the System.
• The Collusion scenario is that of one employee’s access right , probably on the
inputting side, not able to complete a transaction until the other employee,
probably, on the authorising side, would make it up and successfully complete the
Transaction.
• Employees on Collusion could rend down and liquidate the company if it is not
noticed on time.
• Employees should not be allowed on the same role for too long, Imbibe the culture
of shuffling them round the other roles.
• Promote the culture of mandatory Vacation, no employee is indispensable.
• Monitoring and logging events would go a long way in tracing anomalies even
though this would be difficult to trace.
• Apply dual authentication techniques (Two people to login to a system at the same
time with a joined password or any other authentication type ) on most critical
Systems. This would deter further.
• Do all you can to harden your Separation of Duties Policies and Procedures.
• You could as well extend the approval of your critical transactions up to the
Highest Level of Management, the fraud could be detected as it goes up the
reporting lines except if all stakeholders are involved in the collusion .
Stop, Think, Connect

Social Media
• The challenges on Social Media has become quite enormous and threatening.
• It has become so easy to search for people using just the first Name through Social Media.
• Social Media has become the easiest way to get the information of Victims and to track
their movements and locations.
• Issues of abuse of Personal Privacy by sharing personal data on the social media without
permission and consents from the Data Owners.
• You have cases of the bad guys hacking into the profile of Victims and using it to launch
Posts.
• The good news is that Most of these Social Media Providers are now updating and
remediating the security flaws around their Platforms.
• You are entitled to share your security concern at any time with these Providers at their
various support centres.
• Always ensure you read the privacy statements thoroughly before raising issues on
Security.
• It is also advisable that you check your privacy and Security settings of each of these
platforms, don’t settle with the defaults.
• Kindly visit the following links on the Privacy and Security settings of Facebook and
LinkedIn :
• https://www.facebook.com/settings?tab=privacy
• https://www.facebook.com/settings?tab=security
• https://www.facebook.com/safety Study the Safety Centre for various Privacy and security descriptions
• https://www.facebook.com/safety/policies
• https://www.facebook.com/safety/tools
• https://www.linkedin.com/psettings/

Encryption as a Security Measure
• Encryption is the process of converting a readable(Clear Text) message
to an unreadable(Cipher Text) state.
• Encryption Mechanisms have been proven to be the best approach to
hiding highly confidential messages with necessary keys and algorithm
to strengthen the mechanism.
• It is important to note that Encryption is a preventive Technical Control
aiming at the Confidentiality aspect of the CIA triad. It protects an
Information Asset from an unauthorised Access and Undue disclosure.
• Encryption would also assist the business in applying Security with a
level of Obscurity. Stenography, that act of hiding information by
embedding in on another file.
• In most cases, Encryption comes as the second level of protection in the
Security Layer especially on stealing of the Asset.
• For example, a Mobile phone stolen would be useless to the thief if it is
encrypted and inaccessible by the thief, same goes with a stolen laptop
with full disk encryption on it.
• It is then a very good practice for individuals and businesses to deploy
encryption algorithms on their Applications, Password Tables and
Manager, Systems, Mobile Phones , Data in Transit and Data at Rest and
others.

Important Facts
• It is a good practice to understand what you are protecting, how to protect it and
fight against the threats surrounding it. This is what Cyber Security is all about.
• To achieve and enforce a good measure of Cyber Security, It is advised that the
User, Business and Governmental body abide to the local and Global Standards
and Regulations.
• These Regulatory bodies have a way of enforcing entities to maintain due Care
and Due Diligence in carrying out their duties.
• Examples of such Regulatory bodies are the ISO(International Standard
Organisations) group, that of Cyber Security is tagged ISO 27001 for Information
Security Management System, NIST(National Institute of Standards and
Technology), that of E-mail Cyber Security is NIST-45 and that of Risk is NIST-30.
• We also have other bodies such as Economic and Financial Crimes Commission
(EFCC), Central Bank of Nigeria(CBN), Nigerian Financial Intelligence Unit(NFIU),
Payment Card Industry Data Security Standards (PCIDSS), Health Insurance
Portability and Accountability ACT(HIPAA )and others. HIPAA is more applied in
the USA.
• Businesses and Governments should not just aim at the Certifications but ensure
that each of the frameworks are duly applied, enforced and well maintained.
• Most of the frameworks are integrated and customised to suit the Business
processes and thus, make enforcement seamless.

Important Facts Cont’d
• Always remember that the human wing is the weakest link in any
organisation. It is a good practice to promote both local and abroad
trainings for Users.
• Authentication loop hole is another area that grants easy and
unauthorised access to the bad guys. It is a good practice to enforce the
Multi factor authentication technique, Manage Passwords effectively, use
the Single-Sign-On techniques to reduce the administrative bottle necks.
• It is important to ensure Segregation of Duties, Principle of Least
privilege(User can only access resources required to do the job and
nothing more) and Need To Know(User can only utilise the level of
knowledge required). Logs and Monitoring tools must apply, preferably
SIEM(Security Information and Events Monitoring).
• Standards such as Open Web Application Security Project (OWASP) and Open Source
Security Testing Methodology (OSSTM) should apply on Software and Applications as
well as Integrated Code testing techniques such as Fuzzy.
• Layered Security, Defence-in-depth and End Point Security, the way to go!
• Always run tools to test level of Penetrations, intrusion detections and preventions.
• Run Vulnerability scans on daily basis as new vulnerabilities emerge daily.
• Always run Patches, Updates, Anti-Malwares, Monitoring tools, Encrypt data in
motion and at rest, embrace full disk encryption for your lap tops and others.
• Always STOP, THINK and CONNECT.

Practical Approach To Combating Cyber Crimes
• ‘Breaking News’ revealed the speed of Cyber Crimes as new
Technologies emerge, how it has affected the Global world, Africa and
Nigeria as a whole and the objectives behind the National Cyber Security
Awareness Month Program.(please refer to ‘Breaking News’).
• ‘Overview of Cyber Security’ emphasised on the Concept of The
Confidentiality, Integrity and Availability(CIA) Triad.
• ‘Identifying and Classifying your Information Assets’ , revealed the
importance of identifying , evaluating and classifying your Information
Assets as the first step in Cyber Security. It is the Value you place on your
Assets that would determine the Measure of protection required on the
Asset.
• ‘Protecting Your Information Assets’, further revealed the various
Security Measures and Controls that apply in Cyber Security. The three
Control Types(Administrative, Technical and Physical) and the 7 Security
Measures(Preventive, Detective, Deterrent, Corrective, Restorative,
Compensative and Directive). It is important to understand each term
and the concept around each.
• ‘Determining The Ideal Security Measures’ emphasized a level of
assurance that the Security Measures/Counter Measures/Safeguards around your
Information Assets are the best and most suitable at that point in time using
Vulnerabilities and Risk Analysis/Assessment Methods.

• ‘Combating Cyber Crimes 1’ exposed the Threats associated with Social
Engineering. Social Engineering Attacks are reported as the most common and
successful Cyber Crimes. Majority of the attacks may not be possible if the human
wing is secured enough with the right knowledge and skills ahead of the bad guys.
User Training is important, security metrics and campaigns should be used to
measure the level of Security knowledge.
• ‘Combating Cyber Crimes 2’, exposed other Cyber Threats aside Social
Engineering, the truth is that the list is unending, Cyber Security cuts across
Applications , Patches. Operations, Physical , Encryptions, Networks and
Communications, Access Controls, System Updates, Mobile, Logs and Monitoring,
Firewalls, Social Media, in fact virtually everything is riding on the internet and
managing them up proactively is paramount.
• Kindly share with others, remember Cyber Security is the responsibility of everyone.
Practical Approach To Combating Cyber Crimes Cont’d

Subsequent Series on Cyber Security:
Watch out/Contact Us
• Kindly watch-out for more Articles, Posts and Publications on
Cyber Security especially as the Threats emerge.
• Also follow us on the various Media Linkedin, Facebook and Twitter.
• You can as well contact us for your training/prep on your Cyber
Security Certification Exams such as CISSP(Certified Information
Systems Security Professional), CISM(Certified Information Security
Manager), CISA(Certified Information Systems Audit) and CEH
(Certified Ethical Hacker).
• Also contact us for your holistic and Resilient Cyber Security
Solutions and Training , Penetration Testing, Big Data Security and
Systems Audit.
• We handle both Corporate and Individual Trainings.
• Thanks again for being part of this presentation, we appreciate
you.

Chinatu Uzuegbu
CCISO, CISSP, CISM, CISA, CEH, MSc.(Liverpool)…
Senior Cyber Security Consultant
RoseTech CyberCrime Solutions Ltd
info@rtechccsl.com
chinatuuzuegbu@gmail.com
+2348037815577
Membership: ISACA, ISACA Lagos, ISC2, CSEAN, EC-Council

Practical approach to combating cyber crimes

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Practical approach to combating cyber crimes

Similar to Practical approach to combating cyber crimes (20)

More from Chinatu Uzuegbu

More from Chinatu Uzuegbu (16)

Recently uploaded

Recently uploaded (20)

Practical approach to combating cyber crimes