Nigerian's Best Security Company.
No. 18 Bola Street, Anthony Village.
+234-906-000-2093
Mon-Sat: 8:00am - 5:00pm
23 Jul 2015

ISMA/OSAC Sub Saharan Regional Security Conference

SECURITY IN THE FACE OF UNCERTAINTY – DRIVING QUALITY IN SUB SAHARAN AFRICA AND CREATING ENHANCED NETWORKS.

Peermont Walmont Grand Palm

Gaborone, Botswana

September 14 – 16, 2015

Agenda will include the following:

Keynote Addresses:

Earl Miller, U.S. Ambassador to Botswana,

Balisi Mohumi Bonyongo, Managing Director, Debswana

Police Commissioner, Gaborone

Stephen Brunette, OSAC Executive Director

David Burrill, ISMA Leadership

Agenda Topics will include the following, plus more:

Security – A High Profile Issue for Senior Leadership Teams

Regional Security Overview

Ebola, Business Continuity & Crisis Management

From Cost Center to Profit Multiplier: Illicit Trade & Business Resilience

Connecting with Local Law Enforcement in Africa

Regionalization of the Boko Haram Insurgency Across the Lake Chad Basin Region

Risk and Crisis – The Significance of Effective Communications – The Martin Place Siege

Operating in Challenging African Business

Cyber Security

Responsible Business and Security – Are They Easy Bedfellows in Africa?

Guest Speakers will include:

Marjorie Ngwenya, Old Mutual Group Paul McHugh, JTI International
OSAC Regional and Cyber Analysts Olisa Ogwuadi, Former CSO MTN
William Godbout, The African Development Bank Mark Shortman, AES Corporation
Mpho Kewake, Debswana Diamond Company Neville Quinn, Chase Waterford Group
Alastair Barron, Old Mutual Group Wayne Hendricks, Macquarie Group

Knowledge Café with Regional Security Officers from Gaborone, Abuja, Juba, Kinshasa, Nairobi, and Pretoria.

Time will be allotted for Questions/Answers and Networking.

LAUNCH OF THE AFRICAN SECURITY MANAGEMENT ASSOCIATIONTHE NEW TRUSTED NETWORK.

23 Jul 2015

Security Guiding Principles

Operational Areas and Guiding Principle to Consider:

Protection Design
Protective measures must be designed to reveal breach of security as quickly as possible – attempt/intrusion/theft are quickly discovered.

 

Assets
First breach of security occurs when it becomes known that a target of value exists.  The presence of security staff, fence, gates, locks, access procedure, CCTV, indicates that VALUABLE ASSETS exists in the facility being protected.

 

Security Responsibility
Security like Safety is the personal RESPONSIBILITY of everyone. Department Managers are responsible for security in their various departments – tool of work, personnel, etc.

 

Cost of protection
Security efficiency & economy requires that protective measures must be commensurate with threat and value of assets to be protected.

 

Risk Concentration
Vulnerable targets should be concentrated in a small area to ensure easy protection – access control, technology, guards, etc.

 

Sabotage
The potential for SABOTAGE should never be discounted.
Saboteurs seek to cause maximum damaged with little effort/risk to him/herself

 

Access Criterion
• Access to vital information on Critical Assets to be ‘‘On Need To Know’’.
• Access to Critical Assets to be on ‘‘Need To Go’’
• Note: The likelihood of security breach is in direct proportion to the number of people who have access to critical assets.

 

Security Image
• Security must not be perceived as ‘Spy’ body or an instrument of witch-hunt
• All Security PPP (policy/procedure/practice) must be ‘sold’ to employees for their ‘buy-in’
o Factors that may shape Security Image –
o Standard of dress/ Comportment
o Attitude to customers
o Efficiency of operating procedures
o Overall effectiveness of Security department.
Co-Operation
Understanding between those in charge of Security & other departments’ HOD.

 

Protection for Security
All that protects must be protected – People, Procedure, Technology & Physical barriers.

 

System Approach
One of the Security Mix (People, Procedures, Tech., Barriers) cannot guarantee security but all in varying degrees will.

 

Maximum Complicity
• Insider, needs 3rd party or many employees to be able to breach security
• Outsider, needs many employees in same location to be able to breach security
Surprise
• Security systems should have an element of surprise. Frequent but irregular changes of routines are recommended.
• Security is a ‘LIVE’ activity. Flexibility & Proactive approach is essential
Earliest Warning
The most effective security system is one, which gives earliest warning to enable effective response. LAYERS of defence recommended.

 

Guilt must be Pined
Security losses must be narrowed to a close area/people. High probability of being apprehended will deter most thieves.

 

Return On Investment
Remember that Security should strive to facilitate the COMMERCIAL INTEREST of the company

We do Security Training and Security Awareness for families, NGOs and Companies. Call us today for a discussion

 

Head Office: 18 Bola Street, Anthony Village, Lagos.
Tel: 01-2916310, 01–2916311, 01-2952488, 0818 411 1123.
Email: info@mcdonsecurity.com
Twitter: @McDonSecure
www.mcdonsecurity.com

22 Jul 2015

The African Security Management Association

The African Security Management Association (ASMA)

The African Security Management Association (ASMA) will be launched at the ISMA & OSAC Sub Saharan Conference to be held in Gaborone from 14 to 16 September 2015. ASMA has been designed to be a highly prestigious organisation which will provide a truly trusted network of senior security executives based in or with significant responsibilities for Africa. Additionally, it will facilitate professional development opportunities for members and their companies. Links with other global and non-African regional prestigious trusted network security associations will be established for benchmarking, knowledge sharing and educational benefits (this is in hand). Membership will be restricted to 200 active members, which serves to encourage personal relationships between all members and reinforces the principal characteristic of a trusted network.

Requirements for active members (there are other member categories – Emeritus and Life – which are decided on a case by case basis by the Board of Directors) are:
a. On a one-off basis, any security manager/executive, from the private sector, who attends the ISMA & OSAC Sub Saharan Conference in Gaborone, Botswana from 14 to 16 September 2015 will be eligible to join and will be accepted if fees are paid before the end of September 2015. Fees are USD 140 per year. The application fee of USD 40 will be waived for this group which will be noted on ASMA records as Founding Members.
b. Following the ISMA & OSAC Conference, applicants will be asked to complete application forms which will require evidence as to: their position and responsibilities in their organisation, that their company/organisation has annual revenue in excess of a USD 250 million (USD 25 million for a security service provider company – membership from this category will be restricted to 10% of total active membership). Those whose applications are approved before the end of 2015 will also be listed in ASMA records as being Founding Members. Any future upwards (the most likely) revision to the revenue thresholds required will not have any retrospective impact on current active members.

The development and launch of this prestigious association has had the support of the International Security Management Association (ISMA) and the Overseas Security Advisory Council (OSAC) of the US Department of State.
The Founding Directors of African Security Management Association are:
Mpho Kewakae, Head of Security Debswana Diamond Company
William Godbout, Head of security The African Development Bank
Olisa Ogwuadi, CEO McDon Security Ltd (former Head of Security MTN)
Malcolm Smith, Head of Security Sasol

22 Jun 2015

SECURITY AS A COMPETITIVE EDGE FOR MULTINATIONAL CORPORATIONS IN NIGERIA

Security is the creation of a secure environment in which organizations will ensure so far as practicable, that its employees are safe, its assets and operations are protected from theft, fraud, misappropriation, targeted espionage, willful damage and disruption.

Olisa Don Ogwuadi, CPP, Chapter Chair, ASIS International, Chapter 206 Nigeria while speaking on the topic, Security as a Competitive Edge for Multinational Corporations in Nigeria at the July Breakfast forum sponsored by Protection Plus Services Ltd.

He said that in the past, security was only about barriers, keeping things safe, avoiding unwanted attacks & intrusion but in today’s insecure world, only organizations that see security as a key driver of added value will win the fierce competitive economic battle.

He further added that security can and should be business driven and not compliance driven therefore security is not an option but a right to protect your business against uncertainties.

He disclosed that security covers a wide spectrum like environmental security, scanning, security awareness, personnel security such as certificate verification, physical security of all facilities, security investigations and due diligence.

Competitive Intelligence according to Ogwuadi is segmented into three categories people, process and technology. In the area of people, it has to do with researchers, collectors, and analysts gathering from both internal and external sources.

Process in the parlance of security is based on techniques, tools, methods to guide collection, analysis, use of intelligence and the interaction between competitive intelligence staff and users.

As regards technology, software and hardware is used to support competitive intelligence processes and focuses mainly on storage, retrieval and management of information.

Decision can be made based on intelligence from early signs e.g. News report, targeted intelligence, classified sources are used to know the security situations of several areas in Nigeria.

Certainty increases as more intelligence is learnt. Competitive intelligence is as important as the money held by Chief Financial Officer of organisations.

Opportunity for effective response and quality of response to competitive forces is key to success in business engagements.

He further added that security intelligence teaches employees what they can and they should not talk about, as vital information can get leak into the hands of competitors and it will affect negatively the organization involved.

Therefore he said that staff of various organizations should make sure their organization’s competitive intelligence is protected.

Effects of poor security according to Don are direct losses to organisation. Examples of these are supply chain interruptions, break in business continuity, wilful damage, theft, staff cost and litigations. Indirect losses are brand value erosion, reputation damage, loss of market share, loss of key staff and increased insurance premium, will also occur.

According to him, security guarantees the prevention of leakage of intellectual property between brands and a brand has no value if it cannot be trusted.

The security expert said that supply chain protection is necessary, because companies will fail if key supply chain is disrupted and security helps to enforce corporate governance culture.

On a final note, he gave the following security advice; it investigate local knowledge, know the city, know the culture, people, adopting a low personal profile, good communication to all staff, have a planned response to emergencies and observe good house-keeping.

Foluso Phillips, Chairman of the Nigerian-South African Chamber of Commerce commended Olisa Don Ogwuadi for his resourceful and detailed presentation.

19 Jun 2015

How to Keep Your Website Safe Online

You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature.

Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software. Here are our top 10 tips to help keep you and your site safe online.

01. Keep software up to date

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.

If you are using a managed hosting solution then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take care of this.

If you are using third-party software on your website such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues. WordPress, Umbraco and many other CMSes notify you of available system updates when you log in.

02. SQL injection

SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.

Consider this query:

"SELECT * FROM table WHERE column = '" + parameter + "';"

If an attacker changed the URL parameter to pass in ‘ or ‘1’=’1 this will cause the query to look like this:

"SELECT * FROM table WHERE column = '' OR '1'='1';"

Since ‘1’ is equal to ‘1’ this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.

03. XSS

Cross site scripting is when an attacker tries to pass in JavaScript or other scripting code into a web form to attempt to run malicious code for visitors of your site. When creating a form always ensure you check the data being submitted and encode or strip out any HTML.

04. Error messages

Be careful with how much information you give away in your error messages. For example if you have a login form on your website you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.

05. Server side validation/form validation

Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.

06. Passwords

Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.

As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.

Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security it is a good idea to salt the passwords, using a new salt per password.

In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using salted passwords the process of cracking a large number of passwords is even slower as every guess has to be hashed separately for every salt + password which is computationally very expensive.

Thankfully, many CMSes provide user management out of the box with a lot of these website security features built in, although some configuration or extra modules might be required to use salted passwords (pre Drupal 7) or to set the minimum password strength. If you are using .NET then it’s worth using membership providers as they are very configurable, provide inbuilt website security and include readymade controls for login and password reset.

07. File uploads

Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website.

If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

So what can you do to prevent this? Ultimately you want to stop users from being able to execute any file they upload. By default web servers won’t attempt to execute files with image extensions, but it isn’t recommended to rely solely on checking the file extension as a file with the name image.jpg.php has been known to get through.

Some options are to rename the file on upload to ensure the correct file extension, or to change the file permissions, for example,  chmod 0666 so it can’t be executed. If using *nix you could create a .htaccess file (see below) that will only allow access to set files preventing the double extension attack mentioned earlier.

    deny from all
    <Files ~ "^\w+\.(gif|jpe?g|png)$">
    order deny,allow
    allow from all
    </Files>

 

Ultimately, the recommended solution is to prevent direct access to uploaded files all together. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database as a blob. If your files are not directly accessible you will need to create a script to fetch the files from the private folder (or an HTTP handler in .NET) and deliver them to the browser. Image tags support an src attribute that is not a direct URL to an image, so your src attribute can point to your file delivery script providing you set the correct content type in the HTTP header. For example:

  1. <img src=“/imageDelivery.php?id=1234 />
  2. <?php
  3.      // imageDelivery.php
  4.    
  5.      // Fetch image filename from database based on $_GET[“id”]
  6.      …
  7.    
  8.      // Deliver image to browser
  9.       Header(‘Content-Type: image/gif’);
  10.      readfile(‘images/’.$fileName);  
  11.    
  12. ?>

Most hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check.

Ensure you have a firewall setup, and are blocking all non essential ports. If possible setting up a DMZ (Demilitarised Zone) only allowing access to port 80 and 443 from the outside world. Although this might not be possible if you don’t have access to your server from an internal network as you would need to open up ports to allow uploading files and to remotely log in to your server over SSH or RDP.

If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP or SSH.

If possible have your database running on a different server to that of your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, minimising the risk of your data being exposed.

Finally, don’t forget about restricting physical access to your server.

09. SSL

SSL is a protocol used to provide security over the Internet. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database. Attackers could sniff for this information and if the communication medium is not secure could capture it and use this information to gain access to user accounts and personal data.

10. Website security tools

Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.

There are many commercial and free products to assist you with this. They work on a similar basis to scripts hackers will use in that they test all know exploits and attempt to compromise your site using some of the previous mentioned methods such as SQL injection.