The South African Cyber Security Awareness Month (SACSAM) Prof Basie Von Solms Academy for IT University of Johannesburg basievs@uj.ac.za The Cyber Risk The Symantec Internet Security Threat Report (Symantec, April 2011) Symantec recorded early 3 billion malware attacks in 2010 A 93% increase in Web attacks 260 000 Identities on average exposed per breach 42% more mobile vulnerabilities Rustock, the largest botnet had well over one million bots under its control 10 000 could be rented for US$ 15 for Denial of Service attacks The Cyber Risk The Sophos Security Threat Report 2009 • 23 500 infected websites are discovered every day. That’s one every 3.6 seconds • 15 new bogus anti-virus vendor websites are discovered every day. • 89.7 % of all business email is spam The report further makes the following very worrying statement: ‘The vast majority of infected websites are in fact legitimate sites that have been hacked to carry malicious code. Users visiting the websites may be infected by simply visiting affected websites, … The scope of these attacks cannot be underestimated, since all types of sites – from government departments and educational establishments to embassies and poltical parties … - have been targeted.’ The Cyber Risk "The Internet is the crime scene of the 21st Century," (Wall Street Journal, 2010a) The Cyber Risk The CISCO White Paper, 2009 ‘Internet users are under attack. Organized criminals methodically and invisibly exploit vulnerabilities in websites and browsers and infect computers, stealing valuable information (login credentials, credit card numbers and intellectual property) and turning both corporate and consumer networks into unwilling participants in propagating spam and malware’ The major Countermeasure : Cyber Security Awareness • Like the anticrime, environmental awareness, and antismoking television ad campaigns of recent years, a comprehensive and repeated program of public awareness could help instill fundamental security principals to make cyber space safer and more secure. • Such awareness programs should point out that securing one’s own computer not only lowers the risk for that individual but also helps improve the security of cyber space and the country as a whole. The major Countermeasure : Cyber Security Awareness • Thus, user awareness education is just as vital a tool in protecting cyber space as the latest firewall or encryption technology • The sorry state of information security awareness for the public at large is an even bigger problem …………… • The state of information security in cyber space can be significantly improved by public service announcements and education campaigns From SA’s Draft National Cyber Security Policy 6. Proposed SA Initiative Establish an annual Cyber Security Awareness Month/Week Let us look at some examples relating to such a Cyber Security Awareness Month/Week Australia • National Cyber Security Awareness Week • an annual initiative held in partnership with industry, community and consumer groups and state and territory governments. • The Week aims to help Australians understand cyber security risks and educate home and small business users on the simple steps they can take to protect their personal and financial information. United Kingdom Get Safe Online Week • Get Safe Online, the UK’s national internet security awareness initiative • Get Safe Online Week encourages web users to take time out of their week to learn more about internet safety and to make sure that their computer is properly protected. • It reaches out to consumers and small businesses through competitions, events and PR activity. Singapore The Cyber Security Awareness Alliance I Our Mission The aim of the Alliance is to: • Build a positive culture of cyber security in Singapore, where security becomes second nature for all users; and • Promote and enhance awareness and adoption of essential security practices for both the private and public sectors. The Alliance comprises representatives from the government, private enterprises, trade associations and non-profit organisations. America What is National Cyber Security Awareness Month? • National Cyber Security Awareness Month is an annual effort to increase awareness and prevention of online security problems, • spearheaded by the U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA). America The National Cyber Security Alliance (NCSA) Mission: • NCSA's mission is to educate and therefore empower a digital society to use the Internet safely and securely at home, work, and school, • protecting the technology individuals’ use, the networks they connect to, and our shared digital assets. Vision: • In a climate of persistent threats, securing cyber space is a responsibility we all share. • Securing the Internet and our shared global digital assets—cybersecurity—is critical if we are to achieve the potential of an empowered digital society NCSA builds strong public/private partnerships to create and implement broad reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems, and their sensitive information safe and secure online and encourage a culture of cybersecurity. Scope of these programs • • • • Schools Universities Home Users Enterprises Topics • • • • • • • • Identity fraud Phishing Viruses, spyware and malware Mobile internet security Online scams Social networking Online dating Shopping and selling online Tools • • • • • • • • Posters Cartoons Flyers Podcasts Lectures Videos Advertisements etc NCSA Resource Library SA Cyber Security Awareness Month Step 1 : Create a SA Mandating Authority (MA) and invite supporters and endorsers from the public and private sectors. • • • • • • Department of Communications Department of Education (Basic and Higher) Financial Institutions Telecommunications companies Universiities Etc The Centre of Competency for Research in Cyber Security and Related Areas (CCRCSRA) at UJ is offering to act as an initial vehicle to get such a MA established. Step 2 : Create an initial plan as far as content and distribution of material and awareness for the first Cyber Security Awareness Month in October 2011 is concerned As initial concentration is on schools and Universities, the UNISA and NMMU efforts can take responsibility for the schools area. The CCRCSRA at UJ will concentrate on Universities. In cooperation with the MA and sponsors (see later) some marketing material for radio and TV can be developed. The material of the NCSAM (US) can also be used with good effect. Step 3 : Find sponsors Part of establishing the MA (Step 1 above) will be to find sponsorship to produce and distribute some of the material mentioned in Step 2. Step 4 : Roll out the first SA Cyber Security Awareness Month in October 2011 • initially be a small effort, but should grow in coming years. • Without starting slow, we will never get anywhere. • Although the initiative is directed towards SA, it can just as well be a Southern Africa Cyber Security Awareness Month involving other countries from Southern Africa. • The emphasis on SA in this case is just to ensure that we can kick off here in 2011. • The main purpose of the SACSAM is therefore a sort of national public awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure. Summary • It will do SA good to have some concentrated effort to expand awareness about Cyber Security risks amongst the whole civil society. The planned SA National Cyber Security Awareness Month may be the first coordinated effort to do so. • Interested parties are invited to contact me Thanks