[kictanet] Anonymous hacks Kenya Defence Forces Twitter account

Liz Orembo lizorembo at gmail.com
Wed Jul 22 10:02:57 EAT 2015 

Listers,

For the day 2 KeIGF online discussion on Cyber Security and Trust, allow me
to take you back to last year KICTANet's thread when anonymous Kenya hacked
KDF Twitter accounts. Key issues were raised with no follow ups. 1.The govt
not consulting local talent which has skills and capacity and 2.
appreciation of digital security risks by various industries. It seems like
nothing much has changed. How do we take it forward?


On Mon, Jul 21, 2014 at 8:22 PM, John Kariuki via kictanet <
kictanet at lists.kictanet.or.ke> wrote:

> Matunda,Listers,
> You are right.Breaches on cyber security need serious attention.
>
> The ICT Policy in 2006 summarized the matter as follows:
>
> "Electronic Security: The challenge is for the country to establish an
> adequate legal framework and capacity to deal with national
> security,network security,cyber-crime and cyber-terrorism; and to establish
> mechanisms for international cooperation to combat cross-border crimes.An
> e-security structure will be developed in collaboration with the relevant
> institutions."
> Since 2006, matters the situation has become even worse than envisaged at
> that time due to increasing use of on-line services and Broadband Networks.
>
> John Kariuki
>
>
>   On Monday, 21 July 2014, 17:38, Matunda Nyanchama via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>
>
> On this score, I have made some observations:
>
> - our people don't take seriously such breaches; I read an attitude of
> this sort: "it is a small irritant that will come." This is especially so
> for the public sector but also (to a small extent) private sector. Indeed,
> organizations like banks can afford to underwrite huge losses through
> marginal variation in interest rates.
>
> - there is no concerted effort to develop needed skills in this area in
> order to tackle/forestall such problems. With such skills in mind we would
> design, implement and continually monitor and respond to incidents based on
> best practices. (Note: there are no guarantees that one won't be hacked but
> one can minimize such damage as: reputation, loss/modification of
> information, etc.)
>
> - we seriously need leadership in this space nationally (both in public
> and private sectors); if there exists any, it is not felt. Such leadership
> would be evangelistic in nature pushing for appreciation of such risks and
> how to deal with them. Such awareness would raise concern (hopefully) and
> thus assure allocation of commensurate resources (people, money,
> technology, etc.) to confront the problem. (NB: my experience in North
> America tells me that this area is very much underfunded and whatever
> little funding comes through would be spent on easy to acquire stuff like
> CCTV ... some installed without requisite processes, skills, etc for
> maximum gain (ROI) ...)
>
> - many technology managers (and many others in management) treat security
> with obscurity. Keep things obscure and profess security. I once was in a
> discussion with a senior official in GoK and heard things such as: we
> cannot disclose what measures we have taken to protect government
> information because the same can be used by you people to target us! He
> failed to appreciate that you can still be hacked with use of known
> reconnaissance approaches. OK: if you really want help, get some of our top
> talent, give them security clearance and allow them to build robust systems
> that assure security.
>
> - a friend recently gave the story of a manager (a protege of top
> management) that kept his job, protected by his benefactors but who many
> knew wasn't performing. This manager could continually avoid bringing in
> talent that might help him but which talent may also expose his failing!
> Only when the organization was hit and top management embarrassed with loss
> (material, reputational) did they hire an external consultant whose report
> exposed the manager's fraud that he had perpetuated for years on end! ...
> long story short, he was given a soft landing, and slowly eased out of the
> organization. ... Lesson: get the right talent and skills for the job if
> indeed you are committed to delivering in your mandate.
>
> BTW: we are into consulting and training in this area. I know of bids we
> have lost on (despite presenting the best technical proposals)  because
> of other considerations. Your guess is as good as mine as to why, but don't
> be surprised to have some "wired/connected" individuals winning security
> assignments but which they can't deliver on; and if they do, the result
> would be sloppy and why ... because they engage unskilled people ....
>
> - Finally (for now), the compliance regime is extremely weak! I know a
> thing or two about the Auditor General's office and information security
> skills isn't one of their strengths. The focus on financial audit (recently
> they reported Kshs 300 + billion unaccounted for) takes all the attention
> while other aspects go unattended: critical infrastructure protection, ICT
> specification/acquisition/deployment/management/.../disposal ... all go
> unattended.
>
> ... there is a lot to say; let this suffice for today.
>
>
> ----------------------------------------------------------------------------------------------
> Matunda Nyanchama, PhD, CISSP; mnyanchama at aganoconsulting.com
> Agano Consulting Inc.;  www.aganoconsulting.com; Twitter: nmatunda;
> <http://twitter.com/#%21/nmatunda>Skype: okiambe
>
> ----------------------------------------------------------------------------------------------
> Manage your ICT risks! We are the experts you need! The trusted partners
> you deserve!
> Call: +1-888-587-1150 (Canada) +254-20-267-0743 (Kenya) or
> info at aganoconsulting.com
> Licensed by Communications Commission of Kenya (CCK)
>
> ----------------------------------------------------------------------------------------------
> "The best revenge is massive success" - Frank Sinatra
>
> -----------------------------------------------------------------------------------------------
> This e-mail, including attachments, may be privileged and may contain
> confidential or proprietary information intended only for the addressee(s).
> Any other distribution, copying, use, or disclosure is unauthorized and
> strictly prohibited. If you have received this message in error, please
> notify the sender immediately by reply e-mail and permanently delete the
> message, including any attachments, without making a copy. Thank you.
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/ngethe.kariuki2007%40yahoo.co.uk
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>



-- 
Best regards.

Patience is what you admire in the driver behind you, but not in the one
ahead.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20150722/7c453744/attachment.htm>

More information about the KICTANet mailing list