[kictanet] IG Discussion 2009, Day 7 of 10 - Data and Infrastructure Security

Tue May 5 10:57:33 EAT 2009

My take and just to drive Mwende's Challenge on how ready are we - I just googled afew kenya sites that have gone online.  With intention to spread caution rather than fear, I have put some questions below each site.

Banking: 
https://s2b.standardchartered.com/ssoapp/login.jsp
Qtn: How sure are you that the site you are engaging in is actually what it claims to be and not a hoax operating from someone's internet laptop in Mogadishu or Bungoma?

Customs Services: 
https://forodha.kra.go.ke/
Qtn: This is the KRA eCustoms site. I still dont know WHY i cannot access it using my Firefox browser, though it works with Microsoft Explorer. In Security terms, this is known as discriminatory NON-AVAILABILITY of services.

Utilities:
http://www.posta.co.ke/
Qtn: This site seems to have gone home with the MD! Was trying to get their postapay service. Question is what guarantees do we have that as government services get online - they do stay online?

Education:
http://www.elearning.strathmore.edu/login/index.php
Qtn: Possibly the busiest educational site in sub-saharan africa. Question is, how sure are you that the assignment posted by the student was not done by the neighbor?

walu.
nb: Oh I 4got, Wash, plse check out Evans claim that KICTAnet passwords are in clear text. Otherwise I could log as the PS Ndemo and declare myself the newly appointed (coalition?) Government Cyber-Security Advisor!

--- On Tue, 5/5/09, Evans Kahuthu <ifani.kinos at gmail.com> wrote:

> From: Evans Kahuthu <ifani.kinos at gmail.com>
> Subject: Re: [kictanet] IG Discussion 2009, Day 7 of 10 - Data and  Infrastructure Security
> To: jwalu at yahoo.com
> Cc: "KICTAnet ICT Policy Discussions" <kictanet at lists.kictanet.or.ke>
> Date: Tuesday, May 5, 2009, 7:58 AM
> Good Morning,
> Mwende, further to your point regarding having not
> experienced critical
> security threat, it is important for end users and
> information owners to
> understand that just because they have not been
> compromised, it does not
> necessarily mean that they are secure since this in
> security context
> is "Security by Obscurity".
> It is important to understand that hackers write code with
> certain
> parameters of the target and thus when they execute such
> programs only
> applications that meet this criteria are compromised and
> thus the probabiity
> of them being victims is very slim.
> In addition, before organisations can go on a spending
> spree on security
> programs, applications and human resource it is worthwhile
> for them to know
> that "Insiders" pose the greatest security threat
> to their Information. With
> this in mind, there is need for internal Access Control
> mechanism to be
> implemented to help eliminate this threat.
> 
> As far as our current level of preparedness goes, a random
> analysis of
> existing web applications, networks and hosting companies,
> its evident that
> we have a lot of work ahead of us.
> Case in point:
> 1. Recent "war drives" around Nairobi city center
> reveals that most wireless
> networks are unsecured which provides a very convinient
> entry point to most
> black hat hackers into the business network.
> 2. Most of the dynamic web applications have severe
> database security
> vulnerabillties. Using default security assesment methods,
> it is very easy
> to gain access to the underlying database data and
> structure.
> 3. Though its not considered as a "Critical"
> application, the "KICTANET
> database" stores passwords in clear text which is a
> violation of the
> database Confidentiality rule.
> 
> To help protect our infrastructure and data, awareness is
> paramount as this
> sets the base on what security should be implemented and
> how.
> Also important are policies, standards procedures to help
> govern the
> process.
> 
> Evans
> 
> On Mon, May 4, 2009 at 4:52 PM, mwende njiraini
> <mwende.njiraini at gmail.com>wrote:
> 
> > Good morning!
> >
> > Today we continue our discussions on cybersecurity
> specifically data and
> > infrastructure security.
> >
> >
> >
> > It now not uncommon to hear about cyber terrorism,
> cyber crime, cyber
> > attacks, Information Warfare, etc.  Recent examples of
> cyber attacks in
> > Estonia and Georgia show that the Internet offers an
> inexpensive and easy
> > weapon of modern warfare.
> >
> >
> >
> > Fortunately, we as a country may not have yet
> experienced critical security
> > threats possibly because majority of
> users/organizations have access to
> > ‘less than broadband speeds’ thus providing no
> incentive for meaningful
> > exploits.  This presents a situation where low usage
> and poor connectivity
> > has acted as our “security”.
> >
> >
> >
> > However, with the growing use of the Internet,
> encouraged by the
> > availability broadband connections locally, nationally
> (Fibre optic national
> > project, operator networks) and internationally
> (TEAMS, SEACOM), the number
> > of incidences of online security breaches are set to
> increase.
> >
> >
> > Thank you Harry Delano (email 29th April) for raising
> the following
> > important questions for our discussion today.
> >
> >    - What is our level of cybersecurity preparedness
> (as government,
> >    operator, service providers, private sector
> organizations and educational
> >    institutions)?
> >    - Have we made an assessment of our cybersecurity
> preparedness levels,
> >    to date, particularly with the impending landing of
> international submarine
> >    fibre optic cable?
> >    - What is needed to protect our data and
> infrastructure from increased
> >    threats and at what cost?
> >
> >
> >
> >
> > Regards
> > Mwende
> >
> > _______________________________________________
> > kictanet mailing list
> > kictanet at lists.kictanet.or.ke
> > http://lists.kictanet.or.ke/mailman/listinfo/kictanet
> >
> > This message was sent to: ifani.kinos at gmail.com
> > Unsubscribe or change your options at
> >
> http://lists.kictanet.or.ke/mailman/options/kictanet/ifani.kinos%40gmail.com
> >
> >
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> http://lists.kictanet.or.ke/mailman/listinfo/kictanet
> 
> This message was sent to: jwalu at yahoo.com
> Unsubscribe or change your options at
> http://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com