9 May, Cape Town: South African companies are not on the same par as their European counterparts when it comes to the security of their computer systems, an expert has revealed.
“It’s actually scary how quickly I can get the main administrator rights. For example, if you’ve got a five day engagement – 40 hours – if you have the main admin by Monday at 12:00, that’s quite scary, I think,” Philip Pieterse head of the ethical hacking division in South Africa for Spiderlabs, told News24.
Spiderlabs is a division of Trustwave and the company conducts penetration testing of computer systems to let managers know where vulnerabilities exist so they can be remedied.
“Penetration testing is where we use the same techniques; the same tools that the bad guys do, obviously in a controlled form,” said Pieterse, who recently returned from similar work experience in the UK.
Testing
He said that companies who feel they have secure systems generally contact penetration testers to conduct system tests which could demonstrate to integrity of internal systems that may contain intellectual property.
“Organisations, when they feel they have reached a maturity level where they feel they can actually have a penetration test, they would come to us.”
According to the Payment Card Industry Security Standards Council which is made up of credit card providers, companies that process cardholder data should be subject to annual penetration testing of its systems.
“An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance,” said Bob Russo, general manager of the PCI Security Standards Council of how the system of penetration should work.
Pieterse said that South African companies were actively engaged in increasing their security compliance, but they still had a long way to go.
“I’m born and bred South African, so I don’t want to dis [insult] South Africa, but I was working in the UK for a year before I moved back here, doing the same thing I did there. South African companies, even though they try very hard, they still need to go through some steps to the same level as, for example, companies I’ve seen in the UK or Europe.”
He was careful to add that in the UK and Europe the growth curve on security has generally been earlier than in SA, giving them around a five year lead in terms of how security conscious they are.
Threat report
“With the South African companies, there’re lots of companies still in the first year with us,” said Pieterse.
Security awareness is key for companies and users should be trained to avoid links send through spam e-mails and suspect website links.
Symantec’s Internet Security Threat Report found that 61% of malicious website were, in fact, legitimate websites that had been defaced or compromised by hackers.
These were mainly focused on e-commerce sites that could potentially steal financial information.
“The best practice – and that’s one the things we saw in our Global Security Report – is security awareness and even security awareness training. I don’t think it is as expensive as, for example, buying a technology, so I think that’s a quick win,” Pieterse said.
He added that it was up to users to be careful about the links they followed in surfing the web.
“You can have the longest password and a fully patched work station but if you click on a link on the wrong page, you can be instantly compromised.”
-News24
