Countering cyber crime
In 2007, the Gauteng Provincial Government (GPG) was hit by a major computer virus infection that left them off-line for three weeks, with astronomical downtime costs. In 2012, the Post Bank lost R42-million over a public holiday and in 2014, cyber criminals attempted to steal R3.5-billion from Eskom and R800-million from the Gautrain. In total R70-million was stolen from the Gautrain, of which R30-million was never recovered.
“The big four banks lose billions on an annual basis due to cyber criminals, with internal employees and syndicates involved,” said Gauteng Security Operations Centre’s Ignatius Govender. “In the context of government, the statistics are massive and investigations revealed insufficient security patrols, poor patch management, no continuous monitoring or remediation taking place. This is what led to us establishing the Gauteng Security Operations Centre (GSOC).
“We leave work at 4pm and cyber criminals start work as we leave. Now we have a 24x7 Splunk-based system, built with government in mind.
“People are constantly watching, working shifts. We collect and analyse the logs from multiple systems, monitoring for incidents and sending an alert via telephone and SMS when a key targeted issue arises. On-site resolvers — who are IT analysts — are dispatched to fix incidents immediately, blocking and protecting systems. For example, if we see R2-million being transferred on a Sunday morning, we immediately raise the alert. Some systems should not be accessed over a weekend and the alert includes an IP address and location.”
According to Govender, once a system is infected or affected by malware, if this remains invisible it can slow or bring down the whole network, and if someone has taken control via the internet through a command and control server, huge sums of money can be stolen.
“We still have malware issues though memory sticks being put into PCs by users. Portraying bad events on a per-user basis allows us to compare the departments to each other. This has become a key report target for them and the auditor general. The department of health has specific challenges: old X-ray machines, for example, cannot run Windows, but this department is moving in the right direction as new controls are put in.”
Dashboards have been set up for operational monitoring in each department, with data maps in the CIO’s office so he can drill down and investigate. “Even if there are 100 Sequel servers in a department there is one view and if there is a problem, within five minutes an on-site resolver is dispatched,” said Govender. He also said that data has specific information personalities in each system and if the personalities change, something is wrong.
“If we understand the personality of information we can investigate and work together to find out what is going on. As more and more systems come online, you cannot afford to be blind.
“We have now found that people from the private sector, particularly banks, are coming to learn from what government has implemented and the more we migrate to digital, the more we need to ensure that information is secure and accessed by those with the authority to do so.”
Govender said sometimes IT security is taken for granted, but it is a point of entry for disease. “It becomes an ebola. By the time you have the means to take action, it is too late. Take the matter of IT security very, very seriously and make it part of performance contracts.”