[kictanet] [Security Forum] [Skunkworks] #KeIGF15 Online Discussions Day Two: Cyber Security and Trust

Ni Mimi allanmaseghe3 at gmail.com
Tue Jul 21 19:18:12 EAT 2015


Securing ICT resources needs first and foremost change of attitude.

Many a times we buy new cars or spend money to set up nice apartments but
we never really sit and consider how to protect what we invest in.

>From my experience, security concerns is always the elephant in the room
which everyone pretends does not exist.

Just to give some few examples:

>Many service providers , who are meant to be the first line of defense,
have insecure networks which are so easy to penetrate.The firewalls might
have been deployed at the core, yes, but many have their access devices i.e
switches on people rooftops and cabinets in MDFs with ports easily
accessible.All one needs is to go there dressed as a legit employee and you
have an easy walk across the data of the customers .

>Just as we take for granted our own physical security (many dont even know
the name of their kid's school driver and how well trained he is) , so is
the case with our own ICT networks.We choose to think in terms of , "it
only happens to the others and not me".

Once we start changing the attitude, everything else starts falling in
place.

We are yet to become victims of serious cyber hackers like Soy Pictures and
USA government.This is the time to proactively engage in the self-defense
when we are not being kept busy.

My 50 cents..

With regards,
Allan Maseghe, CCIE #38593
https://www.linkedin.com/pub/allan-maseghe-ccie-38593-rns/31/559/2a9
<http://mungauwamaseghe.wordpress.com/>http://mungauwamaseghe.wordpress.com/


On Tue, Jul 21, 2015 at 4:52 PM, Grace Mutung'u (Bomu) via kictanet <
kictanet at lists.kictanet.or.ke> wrote:

> Thank you everyone for the enriching contributions.Without cybersecurity,
> users cannot be assured when transacting online.  A special mention to the
> security experts who have interesting and practical views to the
> cybersecurity issues. We may need to seek more information from those in
> bodies such as ICTA, from experts who helped to set up the systems as well
> as from private sector. Would be interesting to hear how banks achieve
> security, especially with Internet and mobile banking.
>
> The issue of mobile money payments will be part of our discussion tomorrow
> as we tackle "the Internet Economy".
>
> The discussions on all the topics remain open so please continue on. We
> shall pick all the recommendations and suggestions and present them to
> stakeholders during the IGF. Hopefully, some of them will find their way
> into policy and use in our institutions.
>
> Once again thank you.
>
> Regards,
> Grace
>
> 2015-07-21 18:11 GMT+03:00 Lesley Leposo via Security <
> security at lists.my.co.ke>:
>
>> @fredrick
>> Good point.
>> I can see why they would use open source software, other than it being
>> free.
>> But, my point of view only makes sense if the GOK, businesses and
>> universities also fostered/sponsored some (moderately) experienced COMODO
>> tinkerers/hackers.
>>
>> On Jul 21, 2015, at 5:55 PM, fredrick Wahome via Security <
>> security at lists.my.co.ke> wrote:
>>
>> This far we can say they have tried but one thing I don't understand with
>> government system is the implementation. Is it that hard or their is some
>> laxity. With PKI in place most departments are still using FREE systems
>> like COMODO. But again as a loyal citizen I stopped complaining and just
>> doing the bit I can even if its sharing information..
>> On Jul 21, 2015 5:29 PM, "Mwendwa Kivuva via Security" <
>> security at lists.my.co.ke> wrote:
>>
>>> Sorry, here is the website for the Certifying Authority for Kenya's PKI
>>> http://www.govca.go.ke/#
>>>
>>> ______________________
>>> Mwendwa Kivuva, Nairobi, Kenya
>>>
>>> "There are some men who lift the age they inhabit, till all men walk on
>>> higher ground in that lifetime." - Maxwell Anderson
>>>
>>>
>>> On 21 July 2015 at 16:56, Mwendwa Kivuva <Kivuva at transworldafrica.com>
>>> wrote:
>>>
>>>> Hosea Kandie and Fredick Wahome have raised very important points of
>>>> institutional frameworks. I just wanted to share the National PKI website
>>>> which has a tonne of information on what Kenya has done in that regard.
>>>> http://www.ke-cirt.go.ke/index.php/services/national-pki/
>>>>
>>>> Here is a copy paste from the home page:
>>>>
>>>> Kenya’s National Public Key Infrastructure (NPKI)
>>>>
>>>> The National Public Key Infrastructure (NPKI) project is coordinated by
>>>> the Ministry of ICT in collaboration with the Communications Authority of
>>>> Kenya (CA) and the ICT Authority (ICTA).
>>>>
>>>> A Public Key Infrastructure (PKI) refers to a system for the creation,
>>>> storage and distribution of digital certificates which are used to verify
>>>> that a particular public key (online identity) belongs to a certain entity.
>>>> A PKI is a technical infrastructure that comprises of a Root Certification
>>>> Authority (RCA) and a Certification Authority (CA), referred to as an
>>>> Electronic Certification Service Provider (E-CSP) in Kenya’s legal and
>>>> regulatory framework. The PKI creates a framework for protecting
>>>> communications and stored information from unauthorized access and
>>>> disclosure by addressing the fundamentals of cyber security –
>>>> confidentiality, integrity, authentication and non-repudiation. A PKI is
>>>> key to the rollout of e-transaction services.
>>>>
>>>> The Kenya Information and Communications Act, 1998, mandates the
>>>> Communications Authority of Kenya (CA) to issue a license to a person
>>>> operating an Electronic Certification Service. In this regard, the
>>>> Communications Authority of Kenya (CA) has developed a licensing framework
>>>> for Electronic Certification Service Providers (E-CSPs).
>>>>
>>>> Kenya’s National PKI comprises of a Root Certification Authority (RCA),
>>>> which is managed by the Communication Authority of Kenya (CA) as a
>>>> regulatory function, and the Government Certification Authority (GCA), an
>>>> E-CSP which is managed by the ICTA. The NPKI is instrumental towards the
>>>> effectiveness of the licensing of Electronic Certification Service
>>>> Providers (E-CSPs) by the Communications Authority since a licensed E-CSP
>>>> must be accredited by the RCA for its digital certificates to be globally
>>>> recognized and trusted.
>>>>
>>>> The ICT Authority (ICTA), which is the body responsible for the
>>>> management of the mainstream government ICT services, operates the GCA.
>>>> Other interested stakeholders who may be issued with an E-CSP license on
>>>> application include the banking Sector and the Academia.
>>>>
>>>> The benefits of a National PKI include:
>>>> i.    Locally available and cheaper digital certificates/signatures; and
>>>> ii.    Operations and services that are within Kenyan law
>>>> (jurisdiction), among others.
>>>>
>>>> ______________________
>>>> Mwendwa Kivuva, Nairobi, Kenya
>>>>
>>>> "There are some men who lift the age they inhabit, till all men walk on
>>>> higher ground in that lifetime." - Maxwell Anderson
>>>>
>>>>
>>>> On 21 July 2015 at 11:02, fredrick Wahome via Security <
>>>> security at lists.my.co.ke> wrote:
>>>>
>>>>> The fact that there is high internet penetration in Africa / Kenya
>>>>> where an average of one user for every five has access to affordable
>>>>> internet has created enabling environment for cyber-criminals.
>>>>>
>>>>> By the nature of cyberspace where the perpetrators of cyber-crime
>>>>> remain ubiquitous. This necessitated a need for legislation to control
>>>>> crime, and to provide confidence and security in African cyberspace,
>>>>> leading to the drafting of the Africa Union Convention on Cybersecurity
>>>>> (AUCC). But some groups like CIPIT and civil society opposed the convention
>>>>> on the ground that it was prepared without their inputs. Their main
>>>>> argument is that the convention did not make enough provisions to protect
>>>>> privacy and freedom of speech.
>>>>>
>>>>> Member States have to  undertake  necessary  measures  to  encourage
>>>>> the establishment  of  institutions that exchange information  on  cyber
>>>>> threats  and  the evaluation  of  vulnerabilities  such  as  Computer
>>>>> Emergency  Response  Team (CERT). Kenya has at least done something on this
>>>>> by establishing KE-CIRT at CA. There is also a masterplan and PKI in place
>>>>> thou there has been implementation challenges. We will note that most
>>>>> governments departments have not yet established cybersecurity departments
>>>>> and this leads to low / lack of budgetary allocation.
>>>>>
>>>>> In summary Government bodies, policy networks, scholars, the media,
>>>>> technology experts and the people need to engage in a global conversation
>>>>> that will help demystify Cyber-crime and define what it constitutes of and
>>>>> how Cyber-criminals should be dealt with.
>>>>>
>>>>> The role of the media (television, blogs, online news outlets and
>>>>> more) is critical in the process of educating the public and engaging in a
>>>>> conversation, as they will be the mediators and curators of information and
>>>>> discourse on the issue. Thus, a concise and sensible approach, devoid of
>>>>> fear-mongering and shock practices, should be followed. We all remember
>>>>> recently how media has mishandled cyber crime news without a very somber
>>>>> deep analysis
>>>>>
>>>>> Since this is an international issue, governments and policy networks
>>>>> across the world have to come together and discuss openly on what is better
>>>>> for their citizens. Something like AUCC is a positive move by African states
>>>>>
>>>>> Scholars and academics can provide valuable expertise on
>>>>> technological, psychological, ethical and other issues, while highlighting
>>>>> any misgivings by those involved in the process. At least Strathmore has
>>>>> tried on this
>>>>>
>>>>> The people in their local communities, families and social networks
>>>>> should help and train each other to increase their peers’ level of Internet
>>>>> literacy and highlight the advantages of the web. A higher Internet
>>>>> literacy level can help people protect themselves even better by taking
>>>>> simple security measures, such as using anti-virus software and identifying
>>>>> potential risks or scams in their online financial transactions. More is
>>>>> needed from the technology community to provide awareness to end users even
>>>>> if through probono program.
>>>>>
>>>>> The technology community needs a unity of purpose. Looking at
>>>>> programmers / developers, DBA, network admins, infosec there has been lack
>>>>> of proper coordination. Developers are working hard to prove that their
>>>>> products cant be broken. Infosec on the other hand are working so hard to
>>>>> prove to blue team / developers that they can break their products. At the
>>>>> end no one benefit from such a contest. Many technical conferences /
>>>>> seminars should be encouraged to enable sharing of information / knowledge
>>>>> in the local technology community.
>>>>>
>>>>> Great day comrades.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jul 21, 2015 at 9:28 AM, Stephen Munguti via Security <
>>>>> security at lists.my.co.ke> wrote:
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I think most of our security concerns stem from internal users and
>>>>>> this is the reason many banks and telecos refuse to part with this
>>>>>> information,  i could be wrong though
>>>>>>
>>>>>> On Tue, Jul 21, 2015 at 8:58 AM, Grace Mutung'u (Bomu) via skunkworks
>>>>>> <skunkworks at lists.my.co.ke> wrote:
>>>>>>
>>>>>>> Dear Listers,
>>>>>>>
>>>>>>>
>>>>>>> Kenya has had its fair share of high profile cyber threats, hacking
>>>>>>> etc, the latest being the alleged compromise of the IFMIS system at
>>>>>>> NYS/Ministry of Devolution. The country and  Africa at large is making
>>>>>>> efforts to assure cyber-security. These include among others her
>>>>>>> involvement in the Africa Union Convention on Cybercrime and a proposal for
>>>>>>> a Cybercrime law, an initiative led by the Office of the Director of Public
>>>>>>> Prosecutions. Significant financial resources have also been earmarked by
>>>>>>> government for security and cyber security in particular. There are also
>>>>>>> partnerships between government and private sector in deploying
>>>>>>> cybersecurity centres.
>>>>>>>
>>>>>>> The private sector has employed practical measures to protect their
>>>>>>> businesses. However, businesses such as mobile money providers and banks
>>>>>>> have been shy to divulge their cyber security concerns to protect their
>>>>>>> interests.
>>>>>>>
>>>>>>> Civil society on the other hand has raised concern about the line
>>>>>>> between protecting the cyber space and creating a facilitative environment
>>>>>>> for innovators as well as protecting the rights of users.
>>>>>>>
>>>>>>>
>>>>>>> Are our efforts at deterring cyber-crime the correct way to assure
>>>>>>> cyber security? Are fears about a partnership between government and
>>>>>>> private sector and the general fears about stifling innovation and human
>>>>>>> rights in the name of cybersecurity legitimate? Are there other practical
>>>>>>> approaches that different stakeholders can take to enhance cyber security?
>>>>>>>
>>>>>>>
>>>>>>> Over to you.
>>>>>>>
>>>>>>> --
>>>>>>> Grace L.N. Mutung'u
>>>>>>> Nairobi Kenya
>>>>>>> Skype: gracebomu
>>>>>>> Twitter: @Bomu
>>>>>>>
>>>>>>> <http://www.diplointernetgovernance.org/profile/GraceMutungu>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> skunkworks mailing list
>>>>>>> skunkworks at lists.my.co.ke
>>>>>>> ------------
>>>>>>> List info, subscribe/unsubscribe
>>>>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>>>>>> ------------
>>>>>>>
>>>>>>> Skunkworks Rules
>>>>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>>>>>> ------------
>>>>>>> Other services @ http://my.co.ke
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Best Regards,
>>>>>> Stephen Munguti.
>>>>>>
>>>>>> +254720425104
>>>>>>
>>>>>> _______________________________________________
>>>>>> Security mailing list
>>>>>> Security at lists.my.co.ke
>>>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *-------------------------------------*
>>>>> *Kind Regards**;*
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite:
>>>>> www.secunets.com <http://www.secunets.com/>Cell: +254725264890
>>>>> <%2B254725264890>Email: fred at secunets.com <fred at secunets.com>**Facebook:
>>>>> secunetstech*
>>>>> *Twitter: @secunets*
>>>>>
>>>>> *Skype: secunets.technologiesExperts in: *Domain Registration, Web
>>>>> Hosting, Open Source Solutions, Information Security & Training, Digital
>>>>> Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.
>>>>>
>>>>> *"Secure Business Technology"*
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------
>>>>> *SECUNETS TECHNOLOGIES DISCLAIMER:*
>>>>>
>>>>> This email message and any file(s) transmitted with it is intended
>>>>> solely for the individual or entity to whom it is addressed and may contain
>>>>> confidential and/or legally privileged information which confidentiality
>>>>> and/or privilege is not lost or waived by reason of mistaken transmission.
>>>>> If you have received this message by error you are not authorized to view
>>>>> disseminate distribute or copy the message without the written consent of
>>>>> Secunets Technologies and are requested to contact the sender by telephone
>>>>> or e-mail and destroy the original. Although Secunets Technologies takes
>>>>> all reasonable precautions to ensure that this message and any file
>>>>> transmitted with it is virus free, Secunets Technologies accepts no
>>>>> liability for any damage that may be caused by any virus transmitted by
>>>>> this email.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Security mailing list
>>>>> Security at lists.my.co.ke
>>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Security mailing list
>>> Security at lists.my.co.ke
>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>>
>> _______________________________________________
>> Security mailing list
>> Security at lists.my.co.ke
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>
>>
>>
>> _______________________________________________
>> Security mailing list
>> Security at lists.my.co.ke
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>
>
>
>
> --
> Grace L.N. Mutung'u
> Nairobi Kenya
> Skype: gracebomu
> Twitter: @Bomu
>
> <http://www.diplointernetgovernance.org/profile/GraceMutungu>
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/allanmaseghe3%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20150721/b12a6141/attachment.htm>


More information about the KICTANet mailing list