[kictanet] Online Security in Kenya needs to be mainstreamed

Michuki Mwangi michuki at swiftkenya.com
Sat Feb 11 21:04:50 EAT 2012


Hi Brian, et al,


On 2/11/12 12:03 PM, Brian Munyao Longwe wrote:
> Today's(last night's) hacking of the Toyota Kenya website as evidenced
> by Moses Kemibaro's screenshot - http://t.co/w7RDDjfP - should serve as
> a wake up call to CxOs and any organization that has a web presence or
> online resources.
>

While i agree with you. I would like to subject this to discussion.

1. There no business critical information sufficient to warrant the
investment into securing the website. In reality, its not like they
broke into the new toyota show room on Waiyaki way and got away with the
any car(s).

2. I would bet that the folks at Toyota don't know what percentage of
their monthly sales are courtesy of their website.

3. The website is hosted at http://www.softlayer.com/ so this means its
an outsourced solution. In this case who is complacent a. the hosting
company (they provide the infrastructure/service or b. the
developer/website designer. The reason being I do not believe that its
in toyota's core business to be concerned about their website security.
Unless someone makes them see the business sense of it.

> Especially as it comes hardly 2 weeks after the shameful hacking of over
> 103 government websites by an amateur Indonesian techie. In this
> particular case it turns out that all 103 sites were hosted on the same
> physical server - a malpractice, as far as web-hosting and system
> administration goes. 

Am not 100% in agreement here.

1. It not uncommon to have 103 low traffic websites on a single server
going by the computing resources available today. After all its what the
world of Virtualization and virtual Web hosting is all about.

IMHO am pretty pleased by fact that;

1. We have 103 Government websites - so we are making baby steps.

2. It also means that we have a resourceful sysadmin who understands
virtual web-hosting and is capable of hosting 103 website on one IP
address (that we didn't know until this incident).

> It is clear that the increase in online threats and
> cyber-security issues has a lot to do with Kenya's improved connectivity
> to the global Internet - with 3 submarine fiber optic cables opening the
> country and sub-region to cyber-criminals and pranksters alike.
> 

+1

However, its important that we note that the websites in discussion were
hosted in two different places i.e US and Kenya.

IMHO to mainstream security the websites will have to mean more than
just online or web presence. For Govt websites for instance if the KRA
website was hacked - we can indeed expect delays in customs clearance of
goods, loss of revenue collection, etc. Currently it is a matter of
public image. Therefore considering our brevity of mind, it will soon be
back to business as usual.

Similarly, for many local companies, websites are like a company
brochure + directory service (no pun intended). If you think am out of
my mind compare www.toyotaea.com (the hacked site) and toyota.com.
Clearly one is a brochure and the other is a salesperson. I almost
obvious that if the www.toyota.com website had a 4 hour outage, it would
affect their sales target for the week. Because they would be one
salesperson less.

Taking into consideration that most of these companies have a PR agency
that will issue a very reassuring statement after such an incident for a
standard retainer.

In summary, considering that our websites are non-critical to the
organization/business operations and continuity. Why should we be
investing so much or to phrase it as Brian did why should CxO's care?.

Convince me!

Mich.















More information about the KICTANet mailing list