Friends, On the recent hacking of the Kenya Police website, here is what I posted on the Security List <security@lists.my.co.ke>,although for some reason it hasn't shown up on the list. ----- Forwarded Message ---- From: Matunda Nyanchama <mnyanchama@aganoconsulting.com> To: Security List <security@lists.my.co.ke> Sent: Wed, January 19, 2011 7:21:18 AM Subject: Police Website Hacking Friends, I think this is a great opportunity for information protection professionals to step up and help government better protect its information assets. Remember: this government is much our own as it is of those that make decisions. Out here Canada, some people are pointing at me saying: what security professional can't step up to reduce the embarrassment and (possible) espionage when their government sites are hacked! But conversation must a 2-way process and needs to happen us professionals and those in government. We could help in this respect: * Do a current state assessment, including understanding what damage has been caused so far and what be happening "under the hood". The hack is what became public. We don't know what else may be happening. I can bet that government servers are possibly on some international botnet rings where hackers (including spies - here is an example) may be collecting GoK information. The proposed assessment would look at everything from people to processes to technology and how these have been structured to protect government information assets. * Future state design: this is where the government security management would wish to be in the future * Gap analysis: what those gaps are and what are the priorities between current state and future state of security in government. My guess is that there are major gaps in skills (technical and management); technology may be there but is poorly deployed and managed (caring and feeding, e.g. monitoring, patching, etc.); processes may be poorly designed and implemented: .... * Roadmap to secure state: based on priorities we would design for them a master security plan to follow, including strategy, a proper security organization staffed with people with right skills and requisite mandate; technology infrastructure deployment and processes for managing things: people, processes and technology + associated accountabilities. I hope they take this offer, if they haven't started working on it already. Over to you! ---------------------------------------------------------------------------------------------- Matunda Nyanchama, mnyanchama@aganoconsulting.com Agano Consulting Inc.; www.aganoconsulting.com ---------------------------------------------------------------------------------------------- “If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.”- George Bernard Shaw ----------------------------------------------------------------------------------------------- This e-mail, including attachments, may be privileged and may contain confidential or proprietary information intended only for the addressee(s). Any other distribution, copying, use, or disclosure is unauthorized and strictly prohibited. If you have received this message in error, please notify the sender immediately by reply e-mail and permanently delete the message, including any attachments, without making a copy. Thank you.