>
On 7/5/11, ty <
tyruskam@gmail.com> wrote:
>
> Barrack, See inline,
>
>
>
> On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno
>
> <
otieno.barrack@gmail.com>wrote:
>
>
>
>> Dear Listers,
>
>>
>
>> · With Cyber Security threats increasing at an alarming rate,
>
>> what strategies can we embrace as a nation to address and combat
>
>> the threats?
>
>>
>
>
>
> To start with, my biggest approach has been compliance. What do I mean? Some
>
> 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what
>
> measure companies and the Government should take to curb Cyberthreats which
>
> include but arent limited to Identity Theft, online and mobile money
>
> laundering, core infrastructure security etc etc. For starters, the biggest
>
> threat comes from none other than we humans. Any deployment carried out
>
> without a thoroughly thought out strategy will fail dismally in so many
>
> fronts.
>
> Personally I applaud the Govt for seeing the importance of having policies
>
> in place but my fear and worry has always been execution. The Kenya Police
>
> website hack is barely even the icing on the cake as to how far deep cyber
>
> crime can root itself. Even more sad is that in certain instances some
>
> corporate outfits boasting of offering Information Security awareness,
>
> assessments etc do a piecemeal job at it. This is akin to someone assessing
>
> your house and if he identifies that your door is the most vulnerable entry
>
> point and proceeds to recommend you to repaint your door!
>
>
>
> My opinion would be to raise awareness via such forums. Initially when
>
> skunkworks began, there was a very strong drive to hold talks over subjects
>
> such as this (I thank the mods for offering me an opportunity to present on
>
> one occasion). I would also encourage the Govt to see through the efforts in
>
> place to ensure that compliance and standards revolving around the fast
>
> growing world of IT are implemented and arent just white elephant projects.
>
>
>
> · What initiatives are needed to ensure there is sufficient
>
>> awareness and education on Cyber threats?
>
>>
>
> Lets take social networking as a case study. Most people hardly think twice
>
> when signing up or logging into any social network. The amount of
>
> information you give away is an all too familiar subject which most people
>
> either ignore or find too pedestrian to contemplate. Another front to think
>
> about it online/mobile transactions. Do you trust whoever you are providing
>
> your banking/credit card details? What level of compliance (ISO 27001/PCI
>
> DSS) are they adhering to? A third front is the latest boy in the yard,
>
> cloud computing. Do you feel safe relinquishing all your data to some cloud?
>
> Who else is accessing that cloud. Like I always say, Cyber crime is like a
>
> cancer, it slowly creeps and once manifested, the consequences are grave.
>
> Case in point, the recent Lulzsec saga and HB Gary's incident.
>
>
>
> On a technical level, I would advocate for Red Teaming (google is your
>
> friend) as a methodology to identify potential threats upto and including
>
> physical penetration etc. For those in security (CISA, CISSP, CEH etc etc
>
> etc), its time to stop with the mentality of "someone could break into
>
> this". go ahead and show your clients how horrible the world can be. If you
>
> are protecting against a static threat then security becomes a very easy
>
> task for anyone. But that's not the nature of things. We have dynamic
>
> threats which need continuous assessments, user training and awareness..
>
>
>
> I know the above goes against compliance. Saying you are compliant is
>
> equivalent to saying you have bread in your cupboard and claiming that no
>
> can break through into your house.
>
>
>
>
>
> Strictly my opinion and I welcome anyone else's
>
>
>
> -ty
>
>
>
>>
>
>>
>
>> the floor is open, feel free to continue commenting on previous threads.
>
>>
>
>> Best Regards
>
>> --
>
>> Barrack O. Otieno
>
>>
>
>>
+254721325277>
>>
+254-20-2498789>
>> Skype: barrack.otieno
>
>> _______________________________________________
>
>> Skunkworks mailing list
>
>>
Skunkworks@lists.my.co.ke>
>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks>
>> ------------
>
>> Skunkworks Rules
>
>>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94>
>> ------------
>
>> Other services @
http://my.co.ke>
>>
>
>
>
>