Re: [Skunkworks] Kenya IGF 2011 Policy Discussions Day 5 Cyber Security and Privacy
Dear Listers, · With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats? · What initiatives are needed to ensure there is sufficient awareness and education on Cyber threats? the floor is open, feel free to continue commenting on previous threads. Best Regards -- Barrack O. Otieno +254721325277 +254-20-2498789 Skype: barrack.otieno
Barrack, See inline, On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door! My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects. · What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident. On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness. I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house. Strictly my opinion and I welcome anyone else's -ty
the floor is open, feel free to continue commenting on previous threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Thanks Ty, for the comprehensive response, you rightly mention the fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces? On 7/5/11, ty <tyruskam@gmail.com> wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness.
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire <http://www.afriregister.com>gister.bi, www.afriregister.com<http://www.afriergister.com> <http://www.afriregister.com>ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno
Thank you Barrack for your response. Its a shame that none of our universities (correction is welcome) and tertiary institutions including our police academies have Cyber Crime as a core element in the curriculum. I laughed at a statement made by the police commissioner on the Kenya Police defacement and he said that any one with information that could lead to the apprehension of the perpetrators should visit the nearest police station. So I asked myself, go and report *What * exactly? There isnt a clear way to handle electronic evidence in the first place. Am willing to bet there wasnt an incidence report and threat mitigation policy to that effect as well. Do we have Govt forensic officers who can deal with such cases? In the same breath, Social Engineering being the oldest hack in the book, is still very well alive today. I dont know if banking staff or any other *high risk *personnel are trained on distinguishing legit and con artists. As the Govt pushes to improve what id term as physical security, I would implore them to bear in mind the unseen and uncanny ugly head of cyber terrorism. With the move to concentrate all public information to one holding tank, it begs the question what tangible measures have been put in place. And I dont think its only the Govt that should be put to question. Even private holdings, they too are notoriously known to cut corners and compromise on guarding against cyber crimes by hiding behind the blatant excuse that such threats are simply illusions and only happen in America etc etc -tyrus. On Tue, Jul 5, 2011 at 10:41 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Thanks Ty, for the comprehensive response, you rightly mention the fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces?
On 7/5/11, ty <tyruskam@gmail.com> wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness.
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device
Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire <http://www.afriregister.com>gister.bi, www.afriregister.com<http://www.afriergister.com> <http://www.afriregister.com>ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Kenya Methodist University is working towards offering Certified Ethical Hacker (version 7) in the coming months, probably during the next intake in September. However, it is one thing to teach people security stuff, and its another animal to have them actually implement it. IMHO, we should have standards and have the mechanism to enforce those standards; for example, KICTB can say that all software done for the government MUST conform to PCI DSS and/or ISO 27001 or other ideal standard, then it goes ahead and audits all said software for such conformity, on a regular basis. On the issue of websites, I believe these are the easiest to compromise and still the easiest to secure, it is the developers of these websites who are lazy and fail to do their homework. I think specific security guidelines can cover this. Finally, in as much as we keep lumping all the work to the government, let us also play our part and engage the affected organizations directly. I can personally attest to the fact that the CIRT team @ CCK actually responds to issues. On Tue, Jul 5, 2011 at 11:01 PM, ty <tyruskam@gmail.com> wrote:
Thank you Barrack for your response.
Its a shame that none of our universities (correction is welcome) and tertiary institutions including our police academies have Cyber Crime as a core element in the curriculum. I laughed at a statement made by the police commissioner on the Kenya Police defacement and he said that any one with information that could lead to the apprehension of the perpetrators should visit the nearest police station. So I asked myself, go and report *What * exactly? There isnt a clear way to handle electronic evidence in the first place. Am willing to bet there wasnt an incidence report and threat mitigation policy to that effect as well. Do we have Govt forensic officers who can deal with such cases?
In the same breath, Social Engineering being the oldest hack in the book, is still very well alive today. I dont know if banking staff or any other *high risk *personnel are trained on distinguishing legit and con artists.
As the Govt pushes to improve what id term as physical security, I would implore them to bear in mind the unseen and uncanny ugly head of cyber terrorism. With the move to concentrate all public information to one holding tank, it begs the question what tangible measures have been put in place. And I dont think its only the Govt that should be put to question. Even private holdings, they too are notoriously known to cut corners and compromise on guarding against cyber crimes by hiding behind the blatant excuse that such threats are simply illusions and only happen in America etc etc
-tyrus.
On Tue, Jul 5, 2011 at 10:41 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Thanks Ty, for the comprehensive response, you rightly mention the fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces?
On 7/5/11, ty <tyruskam@gmail.com> wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness.
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous
threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device
Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire <http://www.afriregister.com>gister.bi, www.afriregister.com<http://www.afriergister.com> <http://www.afriregister.com>ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Hmm thats strange, I mean coming from Kenya Methodist University. Apparently a few months ago I found a gaping security hole in their website (an no I did not exploit it -- obviously) and I haven't checked back to see if it is fixed. Steve ----- "Peter Karunyu" <pkarunyu@gmail.com> wrote:
Kenya Methodist University is working towards offering Certified Ethical Hacker (version 7) in the coming months, probably during the next intake in September.
However, it is one thing to teach people security stuff, and its another animal to have them actually implement it.
IMHO, we should have standards and have the mechanism to enforce those standards; for example, KICTB can say that all software done for the government MUST conform to PCI DSS and/or ISO 27001 or other ideal standard, then it goes ahead and audits all said software for such conformity, on a regular basis.
On the issue of websites, I believe these are the easiest to compromise and still the easiest to secure, it is the developers of these websites who are lazy and fail to do their homework. I think specific security guidelines can cover this.
Finally, in as much as we keep lumping all the work to the government, let us also play our part and engage the affected organizations directly. I can personally attest to the fact that the CIRT team @ CCK actually responds to issues.
On Tue, Jul 5, 2011 at 11:01 PM, ty < tyruskam@gmail.com > wrote:
Thank you Barrack for your response.
Its a shame that none of our universities (correction is welcome) and tertiary institutions including our police academies have Cyber Crime as a core element in the curriculum. I laughed at a statement made by the police commissioner on the Kenya Police defacement and he said that any one with information that could lead to the apprehension of the perpetrators should visit the nearest police station. So I asked myself, go and report What exactly? There isnt a clear way to handle electronic evidence in the first place. Am willing to bet there wasnt an incidence report and threat mitigation policy to that effect as well. Do we have Govt forensic officers who can deal with such cases?
In the same breath, Social Engineering being the oldest hack in the book, is still very well alive today. I dont know if banking staff or any other high risk personnel are trained on distinguishing legit and con artists.
As the Govt pushes to improve what id term as physical security, I would implore them to bear in mind the unseen and uncanny ugly head of cyber terrorism. With the move to concentrate all public information to one holding tank, it begs the question what tangible measures have been put in place. And I dont think its only the Govt that should be put to question. Even private holdings, they too are notoriously known to cut corners and compromise on guarding against cyber crimes by hiding behind the blatant excuse that such threats are simply illusions and only happen in America etc etc
-tyrus.
On Tue, Jul 5, 2011 at 10:41 PM, Barrack Otieno < otieno.barrack@gmail.com > wrote:
Thanks Ty, for the comprehensive response, you rightly mention the
fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces?
On 7/5/11, ty < tyruskam@gmail.com > wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno < otieno.barrack@gmail.com >wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness..
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device
Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire < http://www.afriregister.com > gister.bi , www.afriregister.com < http://www.afriergister.com > < http://www.afriregister.com >ICANN accredited registrar
+254721325277
+254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co..ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co..ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Steve, You would be surprised to what extent not only websites, but also Social Engineering goes into allowing you to gain access to some of this institutions. Educating users on very simple procedures like not opening just any pdf sent to their corporate email (APT's ), using corporate email for social media stuff. You also realize how easy it is to befriend someone from any organization you want to compromise. Let me break it down for you. I know you work for my target and so I search you on Facebook, or Twitter and come friday, Ill maybe see an update on where you will be hanging out with your pals. Ill possibly join you have a couple then come Monday, when we meet you will most definitely go like "Oh yeah we met on friday," and the rest is simply a move to go for the kill. So try and look at security beyond CISSP and CEH. Anyone can teach you how to exploit and perform DDoS. But do you know of it is possible for someone to walk in and walk out with your servers? Like the saying goes "You never know what you have till its gone" Personally I feel it goes beyond Certifications and Compliance. Just like you can have everyone issued with a driving license. But does that make them a good driver? No. It just means they have complied with a stipulated law/requirement for them to have any business on the road. My desire is to have companies and info sec professionals meet and implement what the certification/compliance guidelines dictate. If you look at PCI in itself, its very diverse. Moreso, recently the body responsible for PCI/DSS came up with PA/DSS, a compliance framework for software vendors. https://www.pcisecuritystandards.org/security_standards/documents.php?associ... . Having that in mind, and with the deluge of mobile apps shifting towards mainstream forms of payments, what measures have been put in place to make sure that their underlying security framework actually works? Just because it implements SSL? Look at Comodo Securities, the very vendors of CA's were compromised from the very same attack vector they seek to protect. Again, just my thoughts. -tyrus I dont On Wed, Jul 6, 2011 at 7:50 AM, Steve Obbayi <steve@sobbayi.com> wrote:
Hmm thats strange, I mean coming from Kenya Methodist University. Apparently a few months ago I found a gaping security hole in their website (an no I did not exploit it -- obviously) and I haven't checked back to see if it is fixed.
Steve
----- "Peter Karunyu" <pkarunyu@gmail.com> wrote:
Kenya Methodist University is working towards offering Certified Ethical Hacker (version 7) in the coming months, probably during the next intake in September.
However, it is one thing to teach people security stuff, and its another animal to have them actually implement it.
IMHO, we should have standards and have the mechanism to enforce those standards; for example, KICTB can say that all software done for the government MUST conform to PCI DSS and/or ISO 27001 or other ideal standard, then it goes ahead and audits all said software for such conformity, on a regular basis.
On the issue of websites, I believe these are the easiest to compromise and still the easiest to secure, it is the developers of these websites who are lazy and fail to do their homework. I think specific security guidelines can cover this.
Finally, in as much as we keep lumping all the work to the government, let us also play our part and engage the affected organizations directly. I can personally attest to the fact that the CIRT team @ CCK actually responds to issues.
On Tue, Jul 5, 2011 at 11:01 PM, ty <tyruskam@gmail.com> wrote:
Thank you Barrack for your response.
Its a shame that none of our universities (correction is welcome) and tertiary institutions including our police academies have Cyber Crime as a core element in the curriculum. I laughed at a statement made by the police commissioner on the Kenya Police defacement and he said that any one with information that could lead to the apprehension of the perpetrators should visit the nearest police station. So I asked myself, go and report *What *exactly? There isnt a clear way to handle electronic evidence in the first place. Am willing to bet there wasnt an incidence report and threat mitigation policy to that effect as well. Do we have Govt forensic officers who can deal with such cases?
In the same breath, Social Engineering being the oldest hack in the book, is still very well alive today. I dont know if banking staff or any other *high risk *personnel are trained on distinguishing legit and con artists.
As the Govt pushes to improve what id term as physical security, I would implore them to bear in mind the unseen and uncanny ugly head of cyber terrorism. With the move to concentrate all public information to one holding tank, it begs the question what tangible measures have been put in place. And I dont think its only the Govt that should be put to question. Even private holdings, they too are notoriously known to cut corners and compromise on guarding against cyber crimes by hiding behind the blatant excuse that such threats are simply illusions and only happen in America etc etc
-tyrus.
On Tue, Jul 5, 2011 at 10:41 PM, Barrack Otieno <
otieno.barrack@gmail.com> wrote:
Thanks Ty, for the comprehensive response, you rightly mention the
fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces?
On 7/5/11, ty <tyruskam@gmail.com> wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness..
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous
threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Sent from my mobile device
Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire <http://www.afriregister.com>gister.bi, www.afriregister.com<http://www.afriergister.com> <http://www.afriregister.com>ICANN accredited registrar
+254721325277
+254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co..ke <http://my.co.ke>
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co..ke <http://my.co.ke>
_______________________________________________ Skunkworks mailing list
Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Some interesting points you have here Ty... I knew there was something fishy with the likes of Facebook. Anyway seriously, what you say makes total sense. ----- "ty" <tyruskam@gmail.com> wrote:
Steve,
You would be surprised to what extent not only websites, but also Social Engineering goes into allowing you to gain access to some of this institutions. Educating users on very simple procedures like not opening just any pdf sent to their corporate email (APT's ), using corporate email for social media stuff. You also realize how easy it is to befriend someone from any organization you want to compromise. Let me break it down for you. I know you work for my target and so I search you on Facebook, or Twitter and come friday, Ill maybe see an update on where you will be hanging out with your pals. Ill possibly join you have a couple then come Monday, when we meet you will most definitely go like "Oh yeah we met on friday," and the rest is simply a move to go for the kill.
So try and look at security beyond CISSP and CEH. Anyone can teach you how to exploit and perform DDoS. But do you know of it is possible for someone to walk in and walk out with your servers? Like the saying goes "You never know what you have till its gone" Personally I feel it goes beyond Certifications and Compliance. Just like you can have everyone issued with a driving license. But does that make them a good driver? No. It just means they have complied with a stipulated law/requirement for them to have any business on the road. My desire is to have companies and info sec professionals meet and implement what the certification/compliance guidelines dictate. If you look at PCI in itself, its very diverse. Moreso, recently the body responsible for PCI/DSS came up with PA/DSS, a compliance framework for software vendors. https://www.pcisecuritystandards.org/security_standards/documents.php?associ... . Having that in mind, and with the deluge of mobile apps shifting towards mainstream forms of payments, what measures have been put in place to make sure that their underlying security framework actually works? Just because it implements SSL? Look at Comodo Securities, the very vendors of CA's were compromised from the very same attack vector they seek to protect.
Again, just my thoughts.
-tyrus
I dont
On Wed, Jul 6, 2011 at 7:50 AM, Steve Obbayi < steve@sobbayi.com > wrote:
Hmm thats strange, I mean coming from Kenya Methodist University. Apparently a few months ago I found a gaping security hole in their website (an no I did not exploit it -- obviously) and I haven't checked back to see if it is fixed.
Steve
----- "Peter Karunyu" < pkarunyu@gmail.com > wrote:
Kenya Methodist University is working towards offering Certified Ethical Hacker (version 7) in the coming months, probably during the next intake in September.
However, it is one thing to teach people security stuff, and its another animal to have them actually implement it..
IMHO, we should have standards and have the mechanism to enforce those standards; for example, KICTB can say that all software done for the government MUST conform to PCI DSS and/or ISO 27001 or other ideal standard, then it goes ahead and audits all said software for such conformity, on a regular basis.
On the issue of websites, I believe these are the easiest to compromise and still the easiest to secure, it is the developers of these websites who are lazy and fail to do their homework. I think specific security guidelines can cover this.
Finally, in as much as we keep lumping all the work to the government, let us also play our part and engage the affected organizations directly. I can personally attest to the fact that the CIRT team @ CCK actually responds to issues.
On Tue, Jul 5, 2011 at 11:01 PM, ty < tyruskam@gmail.com > wrote:
Thank you Barrack for your response.
Its a shame that none of our universities (correction is welcome) and tertiary institutions including our police academies have Cyber Crime as a core element in the curriculum. I laughed at a statement made by the police commissioner on the Kenya Police defacement and he said that any one with information that could lead to the apprehension of the perpetrators should visit the nearest police station. So I asked myself, go and report What exactly? There isnt a clear way to handle electronic evidence in the first place. Am willing to bet there wasnt an incidence report and threat mitigation policy to that effect as well. Do we have Govt forensic officers who can deal with such cases?
In the same breath, Social Engineering being the oldest hack in the book, is still very well alive today. I dont know if banking staff or any other high risk personnel are trained on distinguishing legit and con artists.
As the Govt pushes to improve what id term as physical security, I would implore them to bear in mind the unseen and uncanny ugly head of cyber terrorism. With the move to concentrate all public information to one holding tank, it begs the question what tangible measures have been put in place. And I dont think its only the Govt that should be put to question. Even private holdings, they too are notoriously known to cut corners and compromise on guarding against cyber crimes by hiding behind the blatant excuse that such threats are simply illusions and only happen in America etc etc
-tyrus.
On Tue, Jul 5, 2011 at 10:41 PM, Barrack Otieno < otieno.barrack@gmail.com > wrote:
Thanks Ty, for the comprehensive response, you rightly mention the
fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces?
On 7/5/11, ty < tyruskam@gmail.com > wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno < otieno.barrack@gmail.com >wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness...
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device
Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire < http://www.afriregister.com > gister.bi , www.afriregister.com < http://www.afriergister.com > < http://www.afriregister.com >ICANN accredited registrar
+254721325277
+254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co...ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co...ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co..ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co..ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
@Barrack, some thoughts below. I'm not sure whether how many really understand the threat of cyber security but I can tell you that on an international level it is reaching the stage of a fully fledged war. Just 2 weeks ago, President Obama passed the cyber wars laws with even empower the US Military to take decisive action if the need arises in future. These new laws are stirring the innovation environment with many security companies involved in testing and deploying various technologies to counter, detect and if necessary take the necessary action. If the virus that disabled the Iranian Nuclear development, then you can imagine at what level security is being looked at. As an example, In Iran, they have even formed their own cyber defense teams as part of national security. Is the next big war going to start from the internet? A big YES because the primary targets will be to disable say e.g. all command technologies. This will be on a global scale. Obviously Kenya and the developing world will not be targets in the short term but which ever way the political interests go, unfortunately we become soft targets when such times will arise. What I'd like to know is what the govt is doing to stir interest and cyber threats as a national agenda by not creating more entreprenuers who import and sell security solutions, but those who know security and can do something about it. I believe @Ty is one person not to mess around with on security issues, why has his level of talent been not provided the opportunity to grow the industry to higher levels. Rgds.
Listers, One of the things we can do as a nation is to have mechanisms that will inform the majority of internet users to know what is exactly meant by cybersecurity and privacy. There are many situations where someone is duped by a flowery email indicating how much they have won etc. Lack of mass education that points out how and where a person is at risk of cyber security is important. It can be done through the media and CCK's Chukua Hatua site. Education of the mass is critical for ensuring that the public is not in anyway duped into getting into some deals which might put them at risk. Public awareness is a critical element for ensuring there is sufficient information which will not let the public loose their money through dubious deals.
Many thanks Tyrus, Aki, Peter Karunyu and Steve, you are certainly switched on and i beleive there is much more you can contribute to this nation in so far as Cyber Security is concerned, Tyrus you mention ISO 27001/PCI DSS indeed there is a technical commitee at Kenya Bureu of standards KEBS/ISO/IEC JTC1 SC27 that develops IS Security standards, i happen to be a member so are other listers including Evans Ikua the Chairman of LPA Kenya whom i hope will add some insights into this discussion, one of the greatest challenges has been the fact that the local industry has been slow to embrace the standards which are available at the Kenya Bureu of Standards any lister can contact me offlist incase you need further details, some of the standards adapted by the commitee to the Kenyan environment include KSS 2246:2011 Code of Practice for Business Continuity Management and Ks 2247:2011 Code of Practice for ICT continutiy Management. Plans are underway for public Fora to create awareness on the work the commitee is doing and i hope as many listers will be available for this. On a positive note i am glad the Police Commissioner is open to new ideas and i suppose he might have an open door policy going by recent events, i do hope he will be available for the Face to Face meeting , on another thread Dr. Ndemo lauded crowd sourcing which i suppose could be a new strategy for government departments including Police to source for inputs into their strategies from the public and private sector in an organised manner, as we carry on do you think the government is taking sufficient steps to address Cybercrime? if not what needs to be done other than awareness, as one lister posed is there need for a national strategy on cyber security, if so who should be the key players and why? On Wed, Jul 6, 2011 at 11:08 AM, Solomon Mburu Kamau <solo.mburu@gmail.com> wrote:
Listers,
One of the things we can do as a nation is to have mechanisms that will inform the majority of internet users to know what is exactly meant by cybersecurity and privacy. There are many situations where someone is duped by a flowery email indicating how much they have won etc. Lack of mass education that points out how and where a person is at risk of cyber security is important. It can be done through the media and CCK's Chukua Hatua site. Education of the mass is critical for ensuring that the public is not in anyway duped into getting into some deals which might put them at risk. Public awareness is a critical element for ensuring there is sufficient information which will not let the public loose their money through dubious deals. _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Barrack O. Otieno Afriregister Ltd (Kenya) www.afriregister.bi, www.afriregister.com ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno
Listers, http://www.nation.co.ke/News/Kibaki+says+military+academy+to+offer+degree+co... On Wed, Jul 6, 2011 at 12:23 PM, Barrack Otieno <otieno.barrack@gmail.com> wrote:
Many thanks Tyrus, Aki, Peter Karunyu and Steve, you are certainly switched on and i beleive there is much more you can contribute to this nation in so far as Cyber Security is concerned, Tyrus you mention ISO 27001/PCI DSS indeed there is a technical commitee at Kenya Bureu of standards KEBS/ISO/IEC JTC1 SC27 that develops IS Security standards, i happen to be a member so are other listers including Evans Ikua the Chairman of LPA Kenya whom i hope will add some insights into this discussion, one of the greatest challenges has been the fact that the local industry has been slow to embrace the standards which are available at the Kenya Bureu of Standards any lister can contact me offlist incase you need further details, some of the standards adapted by the commitee to the Kenyan environment include KSS 2246:2011 Code of Practice for Business Continuity Management and Ks 2247:2011 Code of Practice for ICT continutiy Management. Plans are underway for public Fora to create awareness on the work the commitee is doing and i hope as many listers will be available for this. On a positive note i am glad the Police Commissioner is open to new ideas and i suppose he might have an open door policy going by recent events, i do hope he will be available for the Face to Face meeting , on another thread Dr. Ndemo lauded crowd sourcing which i suppose could be a new strategy for government departments including Police to source for inputs into their strategies from the public and private sector in an organised manner, as we carry on do you think the government is taking sufficient steps to address Cybercrime? if not what needs to be done other than awareness, as one lister posed is there need for a national strategy on cyber security, if so who should be the key players and why?
On Wed, Jul 6, 2011 at 11:08 AM, Solomon Mburu Kamau <solo.mburu@gmail.com> wrote:
Listers,
One of the things we can do as a nation is to have mechanisms that will inform the majority of internet users to know what is exactly meant by cybersecurity and privacy. There are many situations where someone is duped by a flowery email indicating how much they have won etc. Lack of mass education that points out how and where a person is at risk of cyber security is important. It can be done through the media and CCK's Chukua Hatua site. Education of the mass is critical for ensuring that the public is not in anyway duped into getting into some deals which might put them at risk. Public awareness is a critical element for ensuring there is sufficient information which will not let the public loose their money through dubious deals. _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Barrack O. Otieno Afriregister Ltd (Kenya) www.afriregister.bi, www.afriregister.com ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno
-- Barrack O. Otieno Afriregister Ltd (Kenya) www.afriregister.bi, www.afriregister.com ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno
Barrack, Thank you for your input as well. Yes I recall sometime back in 2007 I think, someone approached me and referred me to the KEBS/ISO/IEC body. He asserted they were looking for input in coming up with standards and policies to govern the fast growing IT field. However, that was the last I heard from them. I inquired how I could provide input, but no response has come since then. Whats my point? There is lack of follow through. For all I know, I try and mold existing frameworks (PCI/PA/DSS and ISO 27001) to fit my line of work because from where I stand, there maybe a laxity in actually implementing and executing the whole process. Most importantly, standards which fit our current model eg MMT's which seems to become a world wide phenomenal. As to the question who should be involved, I believe everyone in the industry should be. From GSM Telco operators(who by the way are hardly considered as a potential entry point for some sophisticated hacks.), to ISP's Software outfits, Banks, Utility companies, you name them. Everyone has a key role to play. However, I know what am stating here isn't revolutionary. Its been preached before, but we have a knack for letting things fall through the cracks. With the same zeal CBK, CCK, KEBS and any other regulatory body has when enforcing their standards, I believe a dedicated body should be established to research, develop and implement a certain number of realistic standards. Why do I use "realistic"? Running a Penetration Test to ensure your web server complies to what an audit firm claims to be the standard for running web services isnt good by itself. There are a million attack vectors which could cripple our economy when carefully executed. I dont mean to sound like those threat level alerts set to instill fear, but if you have had your ear on the ground for a while now, you will realize there are gaping holes which if someone only took a minute to think through and patch, would save us potential loss. Not just in terms of revenue, but also Intellectual Property-wise, reputation etc. How about our law enforcement officers? I know the legal framework surrounding electronic wiretaps has been catered for, but are the NSIS/CID well equipped and trained to investigate cyber crime? You could argue the economy cant support the establishment of sophisticated labs etc but ask yourself, if we are aiming for vision 2030 with IT as the key driving force, why should Info Sec be an afterthought? Isnt this the time to build the base and case the joint before determined attackers come calling and catch us flat footed? -tyrus On Wed, Jul 6, 2011 at 12:23 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Many thanks Tyrus, Aki, Peter Karunyu and Steve, you are certainly switched on and i beleive there is much more you can contribute to this nation in so far as Cyber Security is concerned, Tyrus you mention ISO 27001/PCI DSS indeed there is a technical commitee at Kenya Bureu of standards KEBS/ISO/IEC JTC1 SC27 that develops IS Security standards, i happen to be a member so are other listers including Evans Ikua the Chairman of LPA Kenya whom i hope will add some insights into this discussion, one of the greatest challenges has been the fact that the local industry has been slow to embrace the standards which are available at the Kenya Bureu of Standards any lister can contact me offlist incase you need further details, some of the standards adapted by the commitee to the Kenyan environment include KSS 2246:2011 Code of Practice for Business Continuity Management and Ks 2247:2011 Code of Practice for ICT continutiy Management. Plans are underway for public Fora to create awareness on the work the commitee is doing and i hope as many listers will be available for this. On a positive note i am glad the Police Commissioner is open to new ideas and i suppose he might have an open door policy going by recent events, i do hope he will be available for the Face to Face meeting , on another thread Dr. Ndemo lauded crowd sourcing which i suppose could be a new strategy for government departments including Police to source for inputs into their strategies from the public and private sector in an organised manner, as we carry on do you think the government is taking sufficient steps to address Cybercrime? if not what needs to be done other than awareness, as one lister posed is there need for a national strategy on cyber security, if so who should be the key players and why?
On Wed, Jul 6, 2011 at 11:08 AM, Solomon Mburu Kamau <solo.mburu@gmail.com> wrote:
Listers,
One of the things we can do as a nation is to have mechanisms that will inform the majority of internet users to know what is exactly meant by cybersecurity and privacy. There are many situations where someone is duped by a flowery email indicating how much they have won etc. Lack of mass education that points out how and where a person is at risk of cyber security is important. It can be done through the media and CCK's Chukua Hatua site. Education of the mass is critical for ensuring that the public is not in anyway duped into getting into some deals which might put them at risk. Public awareness is a critical element for ensuring there is sufficient information which will not let the public loose their money through dubious deals. _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Barrack O. Otieno Afriregister Ltd (Kenya) www.afriregister.bi, www.afriregister.com ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (6)
-
aki -
Barrack Otieno -
Peter Karunyu -
Solomon Mburu Kamau -
Steve Obbayi -
ty