IG Discussion 2009, Day 7 of 10 - Data and Infrastructure Security
Good morning! Today we continue our discussions on cybersecurity specifically data and infrastructure security. It now not uncommon to hear about cyber terrorism, cyber crime, cyber attacks, Information Warfare, etc. Recent examples of cyber attacks in Estonia and Georgia show that the Internet offers an inexpensive and easy weapon of modern warfare. Fortunately, we as a country may not have yet experienced critical security threats possibly because majority of users/organizations have access to ‘less than broadband speeds’ thus providing no incentive for meaningful exploits. This presents a situation where low usage and poor connectivity has acted as our “security”. However, with the growing use of the Internet, encouraged by the availability broadband connections locally, nationally (Fibre optic national project, operator networks) and internationally (TEAMS, SEACOM), the number of incidences of online security breaches are set to increase. Thank you Harry Delano (email 29th April) for raising the following important questions for our discussion today. - What is our level of cybersecurity preparedness (as government, operator, service providers, private sector organizations and educational institutions)? - Have we made an assessment of our cybersecurity preparedness levels, to date, particularly with the impending landing of international submarine fibre optic cable? - What is needed to protect our data and infrastructure from increased threats and at what cost? Regards Mwende
Good Morning, Mwende, further to your point regarding having not experienced critical security threat, it is important for end users and information owners to understand that just because they have not been compromised, it does not necessarily mean that they are secure since this in security context is "Security by Obscurity". It is important to understand that hackers write code with certain parameters of the target and thus when they execute such programs only applications that meet this criteria are compromised and thus the probabiity of them being victims is very slim. In addition, before organisations can go on a spending spree on security programs, applications and human resource it is worthwhile for them to know that "Insiders" pose the greatest security threat to their Information. With this in mind, there is need for internal Access Control mechanism to be implemented to help eliminate this threat. As far as our current level of preparedness goes, a random analysis of existing web applications, networks and hosting companies, its evident that we have a lot of work ahead of us. Case in point: 1. Recent "war drives" around Nairobi city center reveals that most wireless networks are unsecured which provides a very convinient entry point to most black hat hackers into the business network. 2. Most of the dynamic web applications have severe database security vulnerabillties. Using default security assesment methods, it is very easy to gain access to the underlying database data and structure. 3. Though its not considered as a "Critical" application, the "KICTANET database" stores passwords in clear text which is a violation of the database Confidentiality rule. To help protect our infrastructure and data, awareness is paramount as this sets the base on what security should be implemented and how. Also important are policies, standards procedures to help govern the process. Evans On Mon, May 4, 2009 at 4:52 PM, mwende njiraini <mwende.njiraini@gmail.com>wrote:
Good morning!
Today we continue our discussions on cybersecurity specifically data and infrastructure security.
It now not uncommon to hear about cyber terrorism, cyber crime, cyber attacks, Information Warfare, etc. Recent examples of cyber attacks in Estonia and Georgia show that the Internet offers an inexpensive and easy weapon of modern warfare.
Fortunately, we as a country may not have yet experienced critical security threats possibly because majority of users/organizations have access to ‘less than broadband speeds’ thus providing no incentive for meaningful exploits. This presents a situation where low usage and poor connectivity has acted as our “security”.
However, with the growing use of the Internet, encouraged by the availability broadband connections locally, nationally (Fibre optic national project, operator networks) and internationally (TEAMS, SEACOM), the number of incidences of online security breaches are set to increase.
Thank you Harry Delano (email 29th April) for raising the following important questions for our discussion today.
- What is our level of cybersecurity preparedness (as government, operator, service providers, private sector organizations and educational institutions)? - Have we made an assessment of our cybersecurity preparedness levels, to date, particularly with the impending landing of international submarine fibre optic cable? - What is needed to protect our data and infrastructure from increased threats and at what cost?
Regards Mwende
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: ifani.kinos@gmail.com Unsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/ifani.kinos%40gmail.com
My take and just to drive Mwende's Challenge on how ready are we - I just googled afew kenya sites that have gone online. With intention to spread caution rather than fear, I have put some questions below each site. Banking: https://s2b.standardchartered.com/ssoapp/login.jsp Qtn: How sure are you that the site you are engaging in is actually what it claims to be and not a hoax operating from someone's internet laptop in Mogadishu or Bungoma? Customs Services: https://forodha.kra.go.ke/ Qtn: This is the KRA eCustoms site. I still dont know WHY i cannot access it using my Firefox browser, though it works with Microsoft Explorer. In Security terms, this is known as discriminatory NON-AVAILABILITY of services. Utilities: http://www.posta.co.ke/ Qtn: This site seems to have gone home with the MD! Was trying to get their postapay service. Question is what guarantees do we have that as government services get online - they do stay online? Education: http://www.elearning.strathmore.edu/login/index.php Qtn: Possibly the busiest educational site in sub-saharan africa. Question is, how sure are you that the assignment posted by the student was not done by the neighbor? walu. nb: Oh I 4got, Wash, plse check out Evans claim that KICTAnet passwords are in clear text. Otherwise I could log as the PS Ndemo and declare myself the newly appointed (coalition?) Government Cyber-Security Advisor! --- On Tue, 5/5/09, Evans Kahuthu <ifani.kinos@gmail.com> wrote:
From: Evans Kahuthu <ifani.kinos@gmail.com> Subject: Re: [kictanet] IG Discussion 2009, Day 7 of 10 - Data and Infrastructure Security To: jwalu@yahoo.com Cc: "KICTAnet ICT Policy Discussions" <kictanet@lists.kictanet.or.ke> Date: Tuesday, May 5, 2009, 7:58 AM Good Morning, Mwende, further to your point regarding having not experienced critical security threat, it is important for end users and information owners to understand that just because they have not been compromised, it does not necessarily mean that they are secure since this in security context is "Security by Obscurity". It is important to understand that hackers write code with certain parameters of the target and thus when they execute such programs only applications that meet this criteria are compromised and thus the probabiity of them being victims is very slim. In addition, before organisations can go on a spending spree on security programs, applications and human resource it is worthwhile for them to know that "Insiders" pose the greatest security threat to their Information. With this in mind, there is need for internal Access Control mechanism to be implemented to help eliminate this threat.
As far as our current level of preparedness goes, a random analysis of existing web applications, networks and hosting companies, its evident that we have a lot of work ahead of us. Case in point: 1. Recent "war drives" around Nairobi city center reveals that most wireless networks are unsecured which provides a very convinient entry point to most black hat hackers into the business network. 2. Most of the dynamic web applications have severe database security vulnerabillties. Using default security assesment methods, it is very easy to gain access to the underlying database data and structure. 3. Though its not considered as a "Critical" application, the "KICTANET database" stores passwords in clear text which is a violation of the database Confidentiality rule.
To help protect our infrastructure and data, awareness is paramount as this sets the base on what security should be implemented and how. Also important are policies, standards procedures to help govern the process.
Evans
On Mon, May 4, 2009 at 4:52 PM, mwende njiraini <mwende.njiraini@gmail.com>wrote:
Good morning!
Today we continue our discussions on cybersecurity specifically data and infrastructure security.
It now not uncommon to hear about cyber terrorism, cyber crime, cyber attacks, Information Warfare, etc. Recent examples of cyber attacks in Estonia and Georgia show that the Internet offers an inexpensive and easy weapon of modern warfare.
Fortunately, we as a country may not have yet experienced critical security threats possibly because majority of users/organizations have access to ‘less than broadband speeds’ thus providing no incentive for meaningful exploits. This presents a situation where low usage and poor connectivity has acted as our “security”.
However, with the growing use of the Internet, encouraged by the availability broadband connections locally, nationally (Fibre optic national project, operator networks) and internationally (TEAMS, SEACOM), the number of incidences of online security breaches are set to increase.
Thank you Harry Delano (email 29th April) for raising the following important questions for our discussion today.
- What is our level of cybersecurity preparedness (as government, operator, service providers, private sector organizations and educational institutions)? - Have we made an assessment of our cybersecurity preparedness levels, to date, particularly with the impending landing of international submarine fibre optic cable? - What is needed to protect our data and infrastructure from increased threats and at what cost?
Regards Mwende
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: ifani.kinos@gmail.com Unsubscribe or change your options at
http://lists.kictanet.or.ke/mailman/options/kictanet/ifani.kinos%40gmail.com
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: jwalu@yahoo.com Unsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
Dear all The UK data protection provides a good benchmark with regards to data protection and privacy. The act requires all organisations which handle personal information to comply with the following eight principles, which make sure that personal information is: - Fairly and lawfully processed - Processed for limited purposes - Adequate, relevant and not excessive - Accurate and up to date - Not kept for longer than is necessary - Processed in line with your rights - Secure - Not transferred to other countries without adequate protection Data protection guide UK: http://www.ico.gov.uk/Home/for_organisations/data_protection_guide.aspx Kind regards Mwende *Disclaimer: Views expressed here are the author’s own* On Tue, May 5, 2009 at 10:57 AM, John Walubengo <jwalu@yahoo.com> wrote:
My take and just to drive Mwende's Challenge on how ready are we - I just googled afew kenya sites that have gone online. With intention to spread caution rather than fear, I have put some questions below each site.
Banking: https://s2b.standardchartered.com/ssoapp/login.jsp Qtn: How sure are you that the site you are engaging in is actually what it claims to be and not a hoax operating from someone's internet laptop in Mogadishu or Bungoma?
Customs Services: https://forodha.kra.go.ke/ Qtn: This is the KRA eCustoms site. I still dont know WHY i cannot access it using my Firefox browser, though it works with Microsoft Explorer. In Security terms, this is known as discriminatory NON-AVAILABILITY of services.
Utilities: http://www.posta.co.ke/ Qtn: This site seems to have gone home with the MD! Was trying to get their postapay service. Question is what guarantees do we have that as government services get online - they do stay online?
Education: http://www.elearning.strathmore.edu/login/index.php Qtn: Possibly the busiest educational site in sub-saharan africa. Question is, how sure are you that the assignment posted by the student was not done by the neighbor?
walu. nb: Oh I 4got, Wash, plse check out Evans claim that KICTAnet passwords are in clear text. Otherwise I could log as the PS Ndemo and declare myself the newly appointed (coalition?) Government Cyber-Security Advisor!
--- On Tue, 5/5/09, Evans Kahuthu <ifani.kinos@gmail.com> wrote:
From: Evans Kahuthu <ifani.kinos@gmail.com> Subject: Re: [kictanet] IG Discussion 2009, Day 7 of 10 - Data and Infrastructure Security To: jwalu@yahoo.com Cc: "KICTAnet ICT Policy Discussions" <kictanet@lists.kictanet.or.ke> Date: Tuesday, May 5, 2009, 7:58 AM Good Morning, Mwende, further to your point regarding having not experienced critical security threat, it is important for end users and information owners to understand that just because they have not been compromised, it does not necessarily mean that they are secure since this in security context is "Security by Obscurity". It is important to understand that hackers write code with certain parameters of the target and thus when they execute such programs only applications that meet this criteria are compromised and thus the probabiity of them being victims is very slim. In addition, before organisations can go on a spending spree on security programs, applications and human resource it is worthwhile for them to know that "Insiders" pose the greatest security threat to their Information. With this in mind, there is need for internal Access Control mechanism to be implemented to help eliminate this threat.
As far as our current level of preparedness goes, a random analysis of existing web applications, networks and hosting companies, its evident that we have a lot of work ahead of us. Case in point: 1. Recent "war drives" around Nairobi city center reveals that most wireless networks are unsecured which provides a very convinient entry point to most black hat hackers into the business network. 2. Most of the dynamic web applications have severe database security vulnerabillties. Using default security assesment methods, it is very easy to gain access to the underlying database data and structure. 3. Though its not considered as a "Critical" application, the "KICTANET database" stores passwords in clear text which is a violation of the database Confidentiality rule.
To help protect our infrastructure and data, awareness is paramount as this sets the base on what security should be implemented and how. Also important are policies, standards procedures to help govern the process.
Evans
On Mon, May 4, 2009 at 4:52 PM, mwende njiraini <mwende.njiraini@gmail.com>wrote:
Good morning!
Today we continue our discussions on cybersecurity specifically data and infrastructure security.
It now not uncommon to hear about cyber terrorism, cyber crime, cyber attacks, Information Warfare, etc. Recent examples of cyber attacks in Estonia and Georgia show that the Internet offers an inexpensive and easy weapon of modern warfare.
Fortunately, we as a country may not have yet experienced critical security threats possibly because majority of users/organizations have access to ‘less than broadband speeds’ thus providing no incentive for meaningful exploits. This presents a situation where low usage and poor connectivity has acted as our “security”.
However, with the growing use of the Internet, encouraged by the availability broadband connections locally, nationally (Fibre optic national project, operator networks) and internationally (TEAMS, SEACOM), the number of incidences of online security breaches are set to increase.
Thank you Harry Delano (email 29th April) for raising the following important questions for our discussion today.
- What is our level of cybersecurity preparedness (as government, operator, service providers, private sector organizations and educational institutions)? - Have we made an assessment of our cybersecurity preparedness levels, to date, particularly with the impending landing of international submarine fibre optic cable? - What is needed to protect our data and infrastructure from increased threats and at what cost?
Regards Mwende
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: ifani.kinos@gmail.com Unsubscribe or change your options at
http://lists.kictanet.or.ke/mailman/options/kictanet/ifani.kinos%40gmail.com
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: jwalu@yahoo.com Unsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: mwende.njiraini@gmail.com Unsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/mwende.njiraini%40gmail...
Hi. CyberSecurity will either get enforced by the Government (which has no idea what information security consists of), or people who come with an initiative and a research facility which will show Proof of Concept to the government and to any Organization what Operational and Physical Security consist of. Cyber Terrorism, Cyber Theft and Cyber Defense should be the first to be included in such policies, Training and and Awareness is another issue. Then compliance can be effective which should be followed up with Security test and Audit. First Kenyan Security Forum = http://lists.my.co.ke/pipermail/security/ ./Chuks -- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ http://www.kamongo.co.ke/
Hi, One method that may be used to assess our level of preparedness with regards to cybersecurity is the use of the ITU National Cybersecurity/critical information infrastructure protection (CIIP) Self-Assessment Tool. This tool is intended to assist governments in examining their existing national policies, procedures, norms, institutions, and relationships in light of national needs to enhance cybersecurity and address critical information infrastructure protection. ( http://www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html) Kind regards Mwende *Disclaimer: Views expressed here (except those quoted or referenced) are the author’s own* On Tue, May 5, 2009 at 2:52 AM, mwende njiraini <mwende.njiraini@gmail.com>wrote:
Good morning!
Today we continue our discussions on cybersecurity specifically data and infrastructure security.
It now not uncommon to hear about cyber terrorism, cyber crime, cyber attacks, Information Warfare, etc. Recent examples of cyber attacks in Estonia and Georgia show that the Internet offers an inexpensive and easy weapon of modern warfare.
Fortunately, we as a country may not have yet experienced critical security threats possibly because majority of users/organizations have access to ‘less than broadband speeds’ thus providing no incentive for meaningful exploits. This presents a situation where low usage and poor connectivity has acted as our “security”.
However, with the growing use of the Internet, encouraged by the availability broadband connections locally, nationally (Fibre optic national project, operator networks) and internationally (TEAMS, SEACOM), the number of incidences of online security breaches are set to increase.
Thank you Harry Delano (email 29th April) for raising the following important questions for our discussion today.
- What is our level of cybersecurity preparedness (as government, operator, service providers, private sector organizations and educational institutions)? - Have we made an assessment of our cybersecurity preparedness levels, to date, particularly with the impending landing of international submarine fibre optic cable? - What is needed to protect our data and infrastructure from increased threats and at what cost?
Regards Mwende
participants (4)
-
chuks Jonia -
Evans Kahuthu -
John Walubengo -
mwende njiraini