Thanks Ty, for the comprehensive response, you rightly mention the fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces? On 7/5/11, ty <tyruskam@gmail.com> wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness.
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://orion.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire <http://www.afriregister.com>gister.bi, www.afriregister.com<http://www.afriergister.com> <http://www.afriregister.com>ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno