There has been a series of attacks on web-based applications in Ghana in recent times. In the past three years, Ghanaian organizations and agencies, most especially government agencies, have experienced severe cyber-attacks.
Most organizations in the country operate their web-based applications without protecting the HTML codes. HTML (Hypertext Markup Language) is the set of markup symbols or codes inserted in a file intended for display on a World Wide Web (www) browser page. The markup tells the web browser how to display a web page’s words and images for the user.
On Friday, 12 May 2017, it was reported that over 250,000 computers were infected with WannaCry Ransomware attacks in over 150 countries. The private media houses in Ghana had earlier experienced a major cyber-attack on their websites, which rendered the sites inaccessible to readers. The media websites attacked included ghanaweb.com, peacefmonline.com, myjoyononline.com, and adomonline.com.
This report indicated that Ghanaian organizations needed to embrace the global cyber security threat against institutions. The global cyber threat against institutions like banks, schools, data storage agencies, health institutions, law firms, etc. is intended to steal data, and money, erase data or permanently destroy sensitive data.
Organizations must therefore be extremely cautious about how to protect their collected data, and how to process, transmit, and store information about their employees, suppliers, vendors, etc.
The Bank of Ghana, startled by the recent cybercrime activities in Ghana, has warned banks in the country to strengthen their cyber security systems to forestall attacks. In a statement issued by the Second Deputy Governor of the Bank of Ghana, Johnson Asiamah, he said, “The growing threat of cyber-attacks has never been more pressing. Recent instances of payment fraud demonstrate the necessity for industry-wide collaboration to fight against threats”.
A typical example of the cyber-attacks on Ghanaian web applications has to do with Alsancak Tim, who is a Turkish hacker. He has successfully hacked several websites belonging to agencies and ministries in Ghana.
Tim unusually uses ransomware, denial of service, phishing, and other cybercrime attacking techniques on his victims, especially his malware cyber-attack on the Ghana government website (www.ghana.gov.gh) on 20th January 2015. Several government agencies have suffered similar attacks on different occasions. Some websites Tim attacked include:
http://www.mfa.gov.gh/ – http://zone-h.org/mirror/id/23569429
http://moc.gov.gh/ – http://zone-h.org/mirror/id/23569666
http://scholarships.gov.gh/ – http://turk-h.org/defacement/view/560295/scholarships.gov.gh/
http://nss.gov.gh/ – http://zone-h.org/mirror/id/23569393
http://nfed.gov.gh/ – http://zone-h.org/mirror/id/23569410
http://www.motcca.gov.gh/ – http://zone-h.org/mirror/id/23569549
http://www.gida.gov.gh/site/p_ongoing – http://zone-h.org/mirror/id/23569660
These cyber-attacks have also been launched in organizations by cyber criminals globally. A search I conducted indicates that several organizations across the globe operate their web applications without proper security measures. Globally, organizations that have not been hit severely by the impact of cyber-attacks do not see the urgency to implement security technologies and proper cybersecurity policies.
There are few institutions like banks, universities, and health facilities with resilient web-based applications, making web penetration attacks extremely difficult for cybercriminals. These are a few websites I visited and found out that their sites have been secured: Barclays Bank: https://www.home.barclays/; Kwame Nkrumah University of Science and Technology: https://www.knust.edu.gh/; https://www.dataprotection.org.gh/.
Technological advancement has caused the need to implement security measures when developing web applications. Malicious persons are constantly exploring the vulnerabilities and weak security patches in organizations’ networks to launch devastating attacks.
Government agencies and private organizations must deploy secured web-based application protocols such as SSL certificates and a well-built, secured database system. This advanced security technique may come with extra cost since one needs to buy an SSL certificate, Dedicated IP, Domain Privacy, and Site Backup, to ensure a secure and safe website.
Other predominant vulnerabilities web developers must check include broken authentication and session management, insecure direct object references, Security misconfiguration, Insecure Cryptographic Storage, etc. Vulnerability assessment tests and penetration tests must be conducted on websites regularly to ensure websites are resilient against any known and unknown cyber-attacks.
Before you make any payment for online transactions, ensure that the website has HTTPS protocol (locked padlock sign, e.g. https://www.dataprotection.org.gh/). Do not share your personal data or make any form of payment with your debit card if the website only has HTTP but not HTTPS protocol. The best secured and trusted website must have HTTPS rather than unsecured HTTP.
Business owners must also ensure they engage the services of professional penetration testers regularly to conduct a vulnerability assessment and penetration test on their organization’s network infrastructure and web application.
As Ghana celebrates her cyber security awareness this week, let us all follow the activities and the series of events as experts and professionals in the industry share their experiences and thoughts.
>The writer is an ICT expert and member of the Institute of ICT Professionals, Ghana. For comments, contact author: firstname.lastname@example.org
>>>The Institute of ICT Professionals, Ghana (IIPGH) is a non-profit professional body that is currently made up of members in various domains of Information and Communication Technology (ICT) practice.
The Institute has been formed to help tackle the ICT human resource constraint in Ghana. The main aim of the Institute is to become a connector by bringing together the Government, big corporations, start-ups, educational institutions, and investors on one platform in order to create a vibrant ICT ecosystem. You can reach us +233(0) 242 773 762, email@example.com, www.iipgh.org.