Re: [kictanet] Kenya IGF 2011 Policy Discussions Day 5 Cyber Security and Privacy
Thanks Ty, for the comprehensive response, you rightly mention the fact that there are many strategies but execution is the problem, I recently heard an interesting speech by his excellency the president at the military academy in Lanet where he urged the academy to equip itself against emerging threats through enhanced curricula , I assumed emerging threats include Cybercrime, what is the role of Universities and academic institutions in combating Cybercrime in view of the recent collaborative efforts between KU, Egerton and our uniformed forces? On 7/5/11, ty <tyruskam@gmail.com> wrote:
Barrack, See inline,
On Tue, Jul 5, 2011 at 8:22 PM, Barrack Otieno <otieno.barrack@gmail.com>wrote:
Dear Listers,
· With Cyber Security threats increasing at an alarming rate, what strategies can we embrace as a nation to address and combat the threats?
To start with, my biggest approach has been compliance. What do I mean? Some 3-4 years ago, we had a debate on Kictanet and Skunkworks as well about what measure companies and the Government should take to curb Cyberthreats which include but arent limited to Identity Theft, online and mobile money laundering, core infrastructure security etc etc. For starters, the biggest threat comes from none other than we humans. Any deployment carried out without a thoroughly thought out strategy will fail dismally in so many fronts. Personally I applaud the Govt for seeing the importance of having policies in place but my fear and worry has always been execution. The Kenya Police website hack is barely even the icing on the cake as to how far deep cyber crime can root itself. Even more sad is that in certain instances some corporate outfits boasting of offering Information Security awareness, assessments etc do a piecemeal job at it. This is akin to someone assessing your house and if he identifies that your door is the most vulnerable entry point and proceeds to recommend you to repaint your door!
My opinion would be to raise awareness via such forums. Initially when skunkworks began, there was a very strong drive to hold talks over subjects such as this (I thank the mods for offering me an opportunity to present on one occasion). I would also encourage the Govt to see through the efforts in place to ensure that compliance and standards revolving around the fast growing world of IT are implemented and arent just white elephant projects.
· What initiatives are needed to ensure there is sufficient
awareness and education on Cyber threats?
Lets take social networking as a case study. Most people hardly think twice when signing up or logging into any social network. The amount of information you give away is an all too familiar subject which most people either ignore or find too pedestrian to contemplate. Another front to think about it online/mobile transactions. Do you trust whoever you are providing your banking/credit card details? What level of compliance (ISO 27001/PCI DSS) are they adhering to? A third front is the latest boy in the yard, cloud computing. Do you feel safe relinquishing all your data to some cloud? Who else is accessing that cloud. Like I always say, Cyber crime is like a cancer, it slowly creeps and once manifested, the consequences are grave. Case in point, the recent Lulzsec saga and HB Gary's incident.
On a technical level, I would advocate for Red Teaming (google is your friend) as a methodology to identify potential threats upto and including physical penetration etc. For those in security (CISA, CISSP, CEH etc etc etc), its time to stop with the mentality of "someone could break into this". go ahead and show your clients how horrible the world can be. If you are protecting against a static threat then security becomes a very easy task for anyone. But that's not the nature of things. We have dynamic threats which need continuous assessments, user training and awareness.
I know the above goes against compliance. Saying you are compliant is equivalent to saying you have bread in your cupboard and claiming that no can break through into your house.
Strictly my opinion and I welcome anyone else's
-ty
the floor is open, feel free to continue commenting on previous threads.
Best Regards -- Barrack O. Otieno
+254721325277 +254-20-2498789 Skype: barrack.otieno _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://orion.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device Barrack O. Otieno Afriregister Ltd (Kenya) www.afrire <http://www.afriregister.com>gister.bi, www.afriregister.com<http://www.afriergister.com> <http://www.afriregister.com>ICANN accredited registrar +254721325277 +254-20-2498789 Skype: barrack.otieno
Cyber security affects anyone who plausibly has data stored on some device either remotely or locally e.g. on a smartphone. The breadth and scope of cyber security threats is quite formidable and these threats become more stealthy and nefarious everyday. This is a universal problem not limited to developed countries. In Kenya, more bandwidth and faster internet has seen a mushrooming of malware, phishing attacks and online fraud. Besides the recent defacement of the Kenya Police website, I have personally come across several other government websites infested with malware with the attackers gaining full access to the compromised host servers. The problem I think is not just sensitization. A lot is talked about cyber security in the media, in seminars, blogs, social networks etc, but very little is done besides obtaining the latest anti-virus and downloading patches (for those who do so). This action alone is very insufficient as some malware is known to cripple and disable even the latest 'bug-proof' anti-virus. Cyber security specialists; penetration testers,firewall experts, cryptographers, white-hat hackers and the professionals that could be on the vanguard of defense are quite a rare and a precious 'breed' in Kenya. Wasn't it high time more could be done by the government and private sector to train specialists in the wide field of cyber security? We need more cyber security professionals in this country. In addition, having hacking conferences like out own version of DEFCON where hackers, government officials, security professionals and other interested stakeholders can assemble and see for themselves how real time security vulnerabilities can be exploited and either benign or malicious attacks are carried out on the victim. These informal conferences can go a long way in sensitizing and coming up with best practices with regards to cyber security. Talking of cyber security, this article may also interest you: In June, the Pentagon drafted a cyber warfare policy in which it reserves to use military force against states or agents that target critical US computer and network infrastructure http://rt.com/usa/news/pentagon-cyber-military-computer/
participants (2)
-
Barrack Otieno -
Paul M