…why organisational leadership must understand the exigency of the time and technology
The official website of National Information Technology Development Agency (NITDA) was hacked on December 7, 2022, by a hacker’s group who called themselves z7F HackEr as the per attached photo, I ran check on the website this morning 6.59am and found out that the website is unreachable with Server Error 403 (an error message that shows the webserver is not reachable, hence the browser cannot display the content of the site).
As part of the cybersecurity research I am currently doing, and also to contribute to the body of knowledge around Information security, I have captured the cyber-attack incident in my research thesis and want to make the following observation:
1. The threat actors exploited a vulnerability in NITDA’s web server database and were able to modify the website’s [index.html] – a default page in a website’s directory. i.e. the page that loads first when a visitor visits the home page or URL of a website.
2. In modifying the Index file, the attacker introduced the text:
/$ ./Login
HaCkEd By z7F HaCkEr/
Well, NITDA has immediately spotted the cyber incidence and has implemented a recovery process by putting the website visitors on notice that the website undergoing scheduled maintenance, I am ethically bound as a cybersecurity professional to make the following contributions for the benefits of other government organisations who may become the next target:
1. Research in cybersecurity is critical to developing strategies and tools for defending against cyber threats. It also helps identify potential security risks and vulnerabilities. As technology continues to evolve, so does the sophistication of cyberattacks. Cybersecurity research is essential for staying ahead of the ever-evolving threat landscape.
2. ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for organizations to follow in order to implement and maintain a comprehensive information security program. The standard outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS, as well as the processes and controls that should be in place to protect information assets. ISO 27001 is designed to help organizations ensure the confidentiality, integrity, and availability of their information, and to protect against security threats such as unauthorized access, data breaches, and cyber-attacks.
3. The ISO/IEC 27002 further recommends IT Security Controls to be implemented by organisations on web environment to protect the server against security breaches.
What has just happened to NITDA could have been avoided with a simple security solution that provides the following:
1. Threat detection
2. Vulnerability Scan
3. Firewall
4. Threat mitigation
The above four (4) security controls fall under Technical Controls in the Information Security Management System (ISMS) Standard.
In one of the websites, I built for a government organisation, they have been over 10,000 attempts to break into the web server, but it is not possible because I took my time to implement an end-to-end Information security control: access and file management.
The following attachments are reports from a simple webserver security solution I implemented on a website I designed for a government organisation in Nigeria.
