INFORMATION SECURITY SOCIETY OF AFRICA, NIGERIA (ISSAN)

CYBER SECURITY TRENDS IN NIGERIA : JAN – FEB 2016

Feb 23, 2016

Distinguished Ladies and Gentlemen, It is my pleasure to welcome you

all to the second general meeting for the year 2016 which holds today

Feb 23, 2016.

I will also like to seize this opportunity to welcome all the VIPs present

here today and those who are attending our meeting for the first time.

The year 2015 can be described as the year of cyber security

explosion as new malware and Trojans were created and spewed out

on the wed at an alarming rate (That is still happening today). Botnets

were very active during the year and victims were recorded across the

globe. Also, ransonware and DDOs attacks became the order of the

day

in addition to cyber warfare and cyber espionage. To date, several

countries are still being fingered for being behind several attacks that were

witnessed especially in the United States of America and around the

world.

In Nigeria, we had our share of attacks but the fight against cyber crime

and other forms of cyber attacks was intensified as organizations stepped

up their respective preventive, detective and awareness heightening

activities in conjunction with the CBN through the activities of the Nigerian

Electronic Fraud Forum (NeFF) working in close collaboration with the

Banks, the Legislature, Law Enforcement agencies, as well as local and

international organizations like ISSAN. Many organizations are also

budgeting for the security of their on-line (electronic) space. The battle is

indeed on-going.

MAJOR FORMS OF ATTACKS IN THE

INDUSTRY

IN THE YEAR 2015

During the year Jan – Dec 2015, different forms of attacks were experienced. The major strands are as follows:

Exploitation of the ATM Infrastructure (Magstripe Fall Back Set Up)

Identity theft

Use of Keystroke Loggers

Unauthorized electronic transfers from customers’ accts.

Email spoofing and transfer instructions.

Card cloning in non-EMV environments

Ransomware and Steganographic Attacks

POS Pin validation Disruption

MAJOR ATTACKS IN THE YEAR 2015

Others include:

Compromise/Fabrication of SMS alerts to defraud merchants

Defamation of character via online blogs (Cybercrime Act 2015) in action at a

Federal High Court in Lagos.

New Frauds involving the BVN & Deliberate non-registration by customers

Serial impersonators requesting for ATM cards and on-line profiles

In summary, the attack vectors increased over time but the rate of success is

slower than the increase in the number of attempts. This means that we are

winning the war gradually and steadily. But there is more work to do.

MAJOR ATTACKS CONT’D

BANKING INDUSTRY ATTACKS FOR JAN – FEB 2016

ATM / Card Fraud

In-Branch POS Deposits

BVN Related Frauds / Change of Identity

Fraudulent Transfers

OUTLOOK FOR 2016

For the year 2016, we plan to achieve much more. We will focus on generating awareness activities in the polity to ensure that people who do not want to work shall not find any occupation in cyberspace.

We plan to organize key quarterly events this year that will create the right boost for cyber awareness across the nation and the African continent.

Deepen our collaboration efforts with key stakeholders and local and international organizations.

Develop programs for the Press e.g. newspaper publications as the gap on the streets is still very wide.

Expand the scope of our monthly meetings to accommodate more speakers and activities.

Engage external consultants to assist with the required push for effective legal collaboration and training as well as collaboration with relevant governmental agencies... 2016 is already looking quite exciting.

RANSOMWARE! RANSOMWARE!! RANSOMWARE!!!

Tips to stop businesses from being hit by ransomware (Cluley, 2016):

• Backup your data. Don’t just backup your data to a separate partition or an external drive. The ransomware might attempt to corrupt it if it can be reached directly from your computer. It is important to consider cloud services. Of course, as with any cloud-based service, privacy and security remains a priority so ensure that you’re not just doing backups, but that the backups can be restored easily and that they are being stored securely.

• Stop running as administrator. Most users in banks and other institutions do not require admin rights when going about their normal business online, but every minute they use the computer with administration-level permissions they are increasing the chance that ransomware might manage to encrypt and corrupt essential databases and other files. When you are using your computer with admin rights, avoid browsing websites or opening email attachments.

Don’t run software from unapproved sites. Always be suspicious of unsolicited messages, links and attachments, especially if you were not expecting to be contacted in that way or if the wording seems out of character.

Keep your computer up-to-date with the latest security patches, as ransomware will often use unpatched vulnerabilities as a vector for infection.

Consider running an ad blocker, as ransomware attacks have frequently been launched via booby-trapped poisoned ads.

Reduce the attack surface by uninstalling unnecessary plugins where possible (for instance Silverlight, Flash, Java, etc…)

• Run endpoint protection on your desktop, laptop and smartphone if possible, and make sure that you are leveraging all of its features. Ensure it is kept up-to-date as tens of thousands of new malware variants are identified every day. In addition, run anti-virus protection at your web and email gateways to help block attacks.

• If you do click on an unsolicited Microsoft Office attachments (Word documents, PowerPoint presentations, Excel spreadsheets) received via email do not enable macros, unless you are confident it is safe to do so. It can be a good idea to install one of Microsoft’s free Office viewers to open such files by default

Keep you and your colleagues clued up about computer security threats. The last line of defence is you – as you’re the one who clicks on a link, visits a website or opens an email attachment. Taking an active interest in infosecurity and sharing your knowledge with your fellow workers can go a long way to making the workplace safer.

On this final note therefore, it is my pleasure to welcome you

all to the last event by ISSAN for the year 2015 and wish you

all fruitful deliberations.

Thank You

David Isiavwe

THANK YOU DTISIAVWE@UNIONBANKNG.COM

REFERENCES

• Cluley, G. (2016) Online extortion is on the rise. Retrieved from:http://businessinsights.bitdefender.com/simple- way-stop-business-extorted-ransomware

• Isiavwe, D. (2015) President’s welcome address. Last meeting for the year 2015. Presented at the monthly meeting of Information Security Society of Africa, Nigeria (ISSAN).

15