
Kenya Methodist University is working towards offering Certified Ethical Hacker (version 7) in the coming months, probably during the next intake in September. However, it is one thing to teach people security stuff, and its another animal to have them actually implement it. IMHO, we should have standards and have the mechanism to enforce those standards; for example, KICTB can say that all software done for the government MUST conform to PCI DSS and/or ISO 27001 or other ideal standard, then it goes ahead and audits all said software for such conformity, on a regular basis. On the issue of websites, I believe these are the easiest to compromise and still the easiest to secure, it is the developers of these websites who are lazy and fail to do their homework. I think specific security guidelines can cover this. Finally, in as much as we keep lumping all the work to the government, let us also play our part and engage the affected organizations directly. I can personally attest to the fact that the CIRT team @ CCK actually responds to issues. On Tue, Jul 5, 2011 at 11:01 PM, ty <tyruskam@gmail.com> wrote:
Thank you Barrack for your response.
Its a shame that none of our universities (correction is welcome) and tertiary institutions including our police academies have Cyber Crime as a core element in the curriculum. I laughed at a statement made by the police commissioner on the Kenya Police defacement and he said that any one with information that could lead to the apprehension of the perpetrators should visit the nearest police station. So I asked myself, go and report *What * exactly? There isnt a clear way to handle electronic evidence in the first place. Am willing to bet there wasnt an incidence report and threat mitigation policy to that effect as well. Do we have Govt forensic officers who can deal with such cases?
In the same breath, Social Engineering being the oldest hack in the book, is still very well alive today. I dont know if banking staff or any other *high risk *personnel are trained on distinguishing legit and con artists.
As the Govt pushes to improve what id term as physical security, I would implore them to bear in mind the unseen and uncanny ugly head of cyber terrorism. With the move to concentrate all public information to one holding tank, it begs the question what tangible measures have been put in place. And I dont think its only the Govt that should be put to question. Even private holdings, they too are notoriously known to cut corners and compromise on guarding against cyber crimes by hiding behind the blatant excuse that such threats are simply illusions and only happen in America etc etc
-tyrus.
On Tue, Jul 5, 2011 at 10:41 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Thanks Ty, for the comprehensive response, you rightly mention the fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces?
On 7/5/11, ty <tyruskam@gmail.com> wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness.
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous
threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device
Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire <http://www.afriregister.com>gister.bi, www.afriregister.com<http://www.afriergister.com> <http://www.afriregister.com>ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke