Today, every company or organization worth its name has at least more than 70% of its workforce doing office work on computers. Most staff have basic computer skills to enable them perform office tasks.
Computer work contains sensitive information ranging from the financial stand of the company, strategy, customer details and the company trade secrets–information all companies guard jealously from their competitors lest they are edged out of business or risk spending a lot in legal costs in court cases.
However, after buying the desk top computers, mobile gadgets or lap tops and connecting them to the local area network including the Internet, what security measures do companies put in place to ensure that the treasured company information does not leak out to the competitors or worse still, how often do companies go out of their way to deliberately train all the staff using computers on the basic computer security skills?
With the rising wave of hackings into websites, data bases, the new wave of computer aided fraud is placing the security of organizations operating business on computers and the internet, into very vulnerable positions of losing financial resources as well as vital company information.
In Uganda, the banking and the telecoms which are the fastest growing sectors in the economy, are the most affected with banks registering huge losses of funds from customer accounts, electronic fund transfers, where lots of money is sent through the internet into banks, while in the telecommunications sector, the most common forms of computer related crimes include jamming of the telephone networks, dropped telephone phone calls and incomplete call metering where phone calls do not last the 60 seconds in a minute. Welcome to cyber crime.
According to Mustapha Mugisa an anti-cyber-fraud and computer forensic expert, hacking is a process of gaining unlawful access into one’s computer system using technical or social skills or both depending on the security awareness of the target of interest. He says the first step in hacking is foot printing and reconnaissance. He explains that foot printing involves understanding the target system and studying the security practices in that system so that the hacker can exploit the weakest point of vulnerability.
He observes that most times the points of vulnerability include but not limited to the company password usage policy, staff awareness on computer security, open ports on the company network, IT systems especially use of outdated software, firewalls/ intrusion detection systems/ gateway routers left in default settings with weak passwords, un-encrypted e-mails (failure to use digital certificates and encryption) which is the most common point of entry because most times they are insecure.
Mustapha says in banks, hackers easily exploit ordinary computer users (bank tellers, customer care, loan officers, and administrator who account for over 80% of computer use) and avoid the 20% technical users (IT and internal audit teams) because the 80% are not knowledgeable in computer security. “All a hacker needs is an understanding of say a bank teller’s e-mail, the knowledge and interests of the user and hacker sends an e-mail requesting the teller to click onto a link which in the process installs a software (key logger) remotely and stealthily on the teller’s computer and whichever key the teller touches thereafter, will be emailed directly to the hacker’s computer immediately,” he explains adding that through the process, the hacker will have access to all the teller’s passwords and the best way for banks to guard against such hackers is by training all users against clicking on such e-mails and disabling the administrative rights on user machines.
He observes once the hacking is successful, the hackers can gain access to all bank information like the shares held in the bank, all customer bank account details, advising that because the technology uses services which run over ports and internet protocol (IP)
. During foot printing, hackers look for open and unsecured ports like the post office protocol (POP), Domain Name Server (DNS) or the simple mail transfer protocol (FTP), once these are open, it becomes easier for the hackers to access other users’ e-mails an omission which is contrary to the 2011 electronic transactions act because all most business e-mails are not digitally signed yet digital signatures are supposed to ensure that the e-mail has integrity and the recipient does not deny receiving the mail (non-repudiation). He says that there is no single IT system or banking application that cannot be hacked. Systems with strong security only make it harder to hack requiring a lot of time and patience, which time hackers usually don’t have.
“With e-commerce today, one will send you mail instructing you to transact for him or her and to ensure that you do not deny having received the instructions by e-mail, it should be digitally signed. Unfortunately in Uganda, there is limited capacity to investigate and prosecute computer related crimes yet they are punishable under the 2011 computer misuse act. There is weak capacity by law enforcement to investigate computer crime,” he says adding that computer hacking is a crime punishable under the 2011 misuse act.