While there are a number of commonalities between securing a business facility and securing government and parastatal facilities, there are also a number of elements that require a slightly different approach. While intentions may be good, budget plays a huge factor in what systems are actually in place to provide maximised security.
Kevin Monk, MD of SW Security Solutions, believes that the biggest threats faced by governments and parastatals in South Africa and southern Africa are internally motivated. He cites staff stealing company time and not being at work when they claim to be as the primary internal threats. Externally, he points to the theft of company laptops, cellphones and other smart devices by criminals entering the facilities without authorisation.
While there are examples of government and parastatal departments who have instituted some security measures, such as SARS and some of the national keypoints, in general, there is a lack of any discernible control over ingress and egress of people in these facilities.
Monk believes that with the exception of financial institutions, government and parastatals are probably the biggest single owners of IT technology in the country. This makes them a very soft target for opportunistic criminals. There are two critical security needs, therefore. These are the ability to remotely shut down all smart mobile devices when they leave the facilities without being checked out by authorised persons; and more definite control over the ingress and egress of people into the facilities.
Nicolas Garcia, sales manager for access control at Morpho South Africa, says that cyber threats are one of the biggest concerns currently facing governments. A typical example is the release of confidential information as we have recently witnessed in South Africa. The effects of leaked information on foreign relations can be disastrous.
Part of the solution, Garcia believes, is to implement fingerprint logon to all PCs to prevent and/or control the access to any sensitive information. The traditional password logon is therefore replaced by a biometric logon which cannot be forgotten, lost or passed onto anotherperson.
Integration is key
The issue of integration is an interesting one with no ready solution. The problem, Monk says, is that the financial situation of many municipalities does not allow them to spend money on integrating their access control/T&A/payroll systems. Even existing systems, he says, are not being adequately maintained and adoption of appropriate T&A systems is often met with disinterest or anger by employees who refuse to buy into the concept. “There is the rub. There would be a drastic reduction in time theft and unnecessary absenteeism if government departments and parastatals were to keep a more accurate record of employee working time, thus releasing funds that are required to pay for such systems.”
Garcia says that when working with an integrated system one has to ensure that all components are compatible, and have a high level of interoperability. In addition, due to the sensitive nature of the environment, it is essential that the system complies with the highest quality and verification standards.
With convergence, he adds, one can ensure that someone can use the same credentials to access a building and log onto a PC. This means that advanced rules could be enforced to ensure that an individual cannot log on to a PC if they have not first gained authorised access into the premises using a recognised biometric system. Similarly, when the employee leaves the building, their PCs could be automatically logged off, should they have failed to do so manually. This method, he says, is working well at a number of sites nationwide and internationally where the system has been installed.
He adds that when a site is adequately secured from both the physical and logical perspective, mobility becomes the next key component to ensure proactive actions as opposed to reactive actions. He suggests that guards could patrol the facilities and perform spot checks on individuals to ensure they have the relevant access authorisation to be present in their current location. In highly secure environments, multimodal or more advanced technologies like fingerprint and vein mix or 3D facial recognition could be used to increase the security level.
The right platform and people
Because PSIM and BMS platforms are the next step on from traditional access control systems, they will be of little use unless government and parastatals already have an adequate access control system in place. However, they could be very useful at, for example, nuclear plants where access is only permitted for those who hold the specified nuclear clearance.
Monk believes that government could benefit from the various PSIM layers through the provision of physical security barriers as well as corporate governance systems. He cautions, however, that after May 2016, when the new BEE rules are to be announced, some companies could find that they will be unable to install PSIM systems for government departments or parastatals.
Garcia says that PSIM not only ensures that an individual is identified and is authorised to be in a specific area, but also that he has all the relevant credentials to access a zone. These credentials could include a valid and current driving licence; having attended an induction course within a specified period; having no criminal record and, for instance, being sober.
Is there a silver bullet solution for government and parastatal security? Garcia says that it’s important to bear in mind that any technology used separately is of very limited value and biometrics are no different. It is only one piece of the puzzle which if not integrated properly into a state-of-the-art access control solution, can only provide a specific, somewhat limited outcome.
Monk confirms this and adds that an access control system could be integrated with both a T&A system and a payroll system. In addition, IP-based surveillance systems could be added to the mix to provide an extra level of security and verification.
Part of the security mix for the protection of government and parastatal buildings has traditionally been intruder detection systems with armed reaction units. However, Monk feels that their role has changed and many are no longer willing to fulfil their role by entering premises where an intruder detection system has been activated. He believes this is due in great part to the adoption of worldwide protocols for armed response, an anomaly which does not take our unique South African environment into consideration.
He feels that the inherent job risks should be outlined to response personnel before they sign up and that an acceptance of these risks should form part of their work contract, otherwise it is pointless to have an armed reaction unit. This, he adds, is the driving force behind the resurgence of smaller, owner managed security companies who are filling this necessary gap in the market.
Doros Hadjizenonos, country manager for Check Point in southern Africa, says that security in government and parastatals should be driven by technology, processes and people. The bottom line is that they need to identify and create a proper security policy in terms of the roles of people and which data they can access. Systems then need to be put in place to enforce these policies.
He believes that too many people have access to data that should be restricted. This fraud and corruption he says, is not an issue endemic to South Africa, but rather a global problem. The first step in prevention is to ensure that all network traffic is controlled. This begins with segmentation of the network in terms of the roles and responsibilities of individual employees.
At this stage, management can control exactly which data and systems each employee is permitted to access. This, he says, goes all the way down to document level with a separate security policy attached to each document. The document should be encrypted with an addendum that specifies exactly what actions (editing, reading, forwarding) can be taken on the document. At this point, documents can be classified as restricted or partially restricted.
By encrypting documents, one is assured that if the document does manage to fall into the wrong hands, it will be useless without a decryption key. Check Point has technology that automatically decides how the document will be encrypted in terms of whether the document can be forwarded to mobile devices or a third party. If permissions are in place in terms of the security protocol attached to that document, then it will be automatically decrypted.
Hadjizenonos cautions that firewalls as the first line of IT defence are inadequate. They are easy to bypass and malicious code can be easily added on to the end user system by crafting a clever email and getting a user to run the attached file or getting the end user to click on a link that directs him to a malicious website which could download malware on to a vulnerable system. Therefore, it is critical that government and parastatals add further layers onto their cyber security systems.
The first layer is intrusion prevention. This layer actively searches for malicious content. It is followed by a layer that identifies apps and determines whether they are permitted for the specific user. By limiting the type and number of apps accessed by employees, management will be better able to stop employees exposing the system to malicious content.
The anti-bot software blade layer is the post infection layer and is generally activated to protect against malicious content that has infected machines and bypassed traditional security measures. A bot connects to a commander (the hacker) and is instructed on the action to take once it is loaded on to the machine.
Bots allow criminals to remotely control your computer to execute illegal activities such as stealing data, spreading spam, distributing malware and participating in Denial of Service (DOS) attacks without your knowledge. Bots play a key role in targeted attacks also known as Advanced Persistent Threats (APTs). Anti-bot prevents the machine from communicating with the Internet in this instance, so in essence the commander will no longer be able to access the bot or the machine.
The biggest threat going forward, he says, is unknown malware. This is recently created malware that has not yet been defined or known malware that has been obfuscated and therefore no signature-based anti-virus software is able to halt it. It is easily and readily embedded into Office documents and runs in the background as script which infects user machines.
The solution to this is Check Point’s Threat Emulation software which prevents infections from undiscovered exploits, zero-day and targeted attacks. It quickly inspects files and runs them in a virtual sandbox to discover if they exhibit malicious behaviour. Discovered malware is then prevented from entering the network and protections are updated so that future files with the same malware can be immediately stopped without needing to be emulated again.
Check Point Threat Extraction eliminates places in documents where malware can hide. It removes the background script, including active content and various embedded objects, then reconstructs the files using known safe elements.
Another point he emphasises is the growing trend towards mobility. Employees often remove smart devices containing sensitive data from the office. By encapsulating any sensitive data so that it can only be accessed in the encrypted workspace on the device, the risk of the data falling into unauthorised hands is eliminated. Personal information, however, will be unaffected and will be totally accessible.
He concludes that all users need to be educated on simply double clicking files to open them if there is not system protection in place. This is particularly relevant for HR departments, where they are obliged to open documents from a wide volume and variety of senders.
For more information, contact:
|Tel:||+27 11 601 5500|
|Articles:||More information and articles about IDEMIA|
© Technews Publishing (Pty) Ltd | All Rights Reserved