Watching The Web

One of the biggest challenges in the world of cybersecurity is trying to figure out what threats are real and what are simply good headlines. We hear of massive data breaches at multinational companies all the time, but unless we are directly affected, the numbers involved can seem abstract.

There’s a real risk, fear many experts, that instead of raising awareness and helping people to understand how careful they need to be with online security, news stories about big breaches may achieve entirely the wrong effect – that we become desensitised to horror stories and imagine that if it hasn’t happened to you yet, it never will.

To understand how real the threat is, we paid a visit to Vodacom’s South African HQ in Midrand. It’s here that, in April 2015, the company set up its Cyber Intelligence Centre (CIC) to monitor and respond to security incidents on its African network.

Ever-vigilant

Vodacom operates mobile networks in six African countries and offers business services in 26 others. As a result, its networks and customers are constantly being tested for vulnerabilities by international criminals. It’s in the firm’s interests to be seen to be protecting those customers, and so its security operations provide an almost unique insight into what really happens in African cyberspace.

The South African CIC is part of a network of similar centres within Vodacom’s parent organisation, the Vodafone group. Vodafone’s sharing of data with other centres in the UK and Australia means the company has “follow the sun” capabilities – whatever time of day it is, one centre will be fully staffed and alert.

Plus, since cybercrime is truly international in nature, it means there’s a better chance of catching criminals. Most attacks in Africa originate from Russia, Ukraine and China, says manager for technology security, Johan Taute, and data gathered by the South African team was recently used to assist in prosecuting cybercriminals in Germany.

Working with others

The first thing you notice when entering the CIC, however, is not the screens with information specific to the Vodacom network. It’s the feeds from almost every major multinational internet security firm, which list detections of potentially nefarious activity all over the continent.

These feeds pick up common malware signatures and attempts to breach database servers via SQL injection, as well as unexpected spikes in data traffic and other events that could indicate an attack is under way.

The centre usually picks up around 200 000 incidents an hour, but this rose to 4.2-million when online activists from the Anonymous group launched an African campaign, explains Vodacom’s executive head of technology security, Darshan Lakha. Most are automatically detected and blocked, but information is also fed to teams of security experts Taute calls “hunters”, whose job it is to reverse-engineer attacks in order to understand what they are facing and how they can be stopped.

Lakha says there are two major trends he’s picked up on this year. “One is that there’s a lot more ‘ransomware’ than before,” he says. “The other is the scale of DDOS attacks. A typical low-level attack used to generate around 50Mbps of traffic at its peak, but now it can routinely be up to 25Gbps.”

Meeting the increased threat, however, is tough. Like most in the industry today, Taute says finding people with the right skills to work in cybersecurity is tough, and always changing. Mobile operators are beginning to introduce “narrowband” technologies that will allow hundreds of thousands of new low-power devices to connect to their networks, creating just as many new potential places for attacks to occur.

“What you learned in security just five years ago is different from what you need today.”

Know your jargon

SQL injection

Most websites and applications are created using the SQL database programming language. Attacks using SQL injection involve trying to trick a database into giving more information than it should by adding bits of code to entry fields.

Malware

This is “bad software”, such as a computer virus, Trojan or – increasingly – ransomware used to attack another computer.

DDOS

Distributed Denial of Service. A DDOS involves trying to crash a web server  by flooding it with traffic, generated  from hundreds or thousands or even millions of PCs, phones and online  devices infected with malware.