[kictanet] Anonymous hacks Kenya Defence Forces Twitter account
Walubengo J
jwalu at yahoo.com
Wed Jul 22 11:45:32 EAT 2015
@Liz,
I consider security to be in the same league as insurance. No one wants to shoulder the cost of insurance since they believe disaster only happens to others. People take certain types of insurance (e.g. vehicle, employee, etc) seriously simply because the law mandates them to.
That is why I agree with what Eng. J. Kariuki said as copied below. It is about the laws & regulations. In Kenya we are still awaiting the following security related laws:
i) Data Protection Act (force data handlers to care for data collected)ii) e-Transaction Act (provide framework for electronic contracts/transcations)iii) Cybercrime Act (provide comprehensive framework for investigation, handling and prosecuting e-Crimes)iv) Access to Information Act(formerly Freedom of Info Act)-provide framework of government to disclose/share public interest data.
Unless and until the above legal regime kicks in, we shall remain the weakest link in the global chain of defence against cybercrime.
walu.
From: Liz Orembo via kictanet <kictanet at lists.kictanet.or.ke>
To: jwalu at yahoo.com
Cc: Liz Orembo <lizorembo at gmail.com>
Sent: Wednesday, July 22, 2015 10:02 AM
Subject: Re: [kictanet] Anonymous hacks Kenya Defence Forces Twitter account
Listers,
For the day 2 KeIGF online discussion on Cyber Security and Trust, allow me to take you back to last year KICTANet's thread when anonymous Kenya hacked KDF Twitter accounts. Key issues were raised with no follow ups. 1.The govt not consulting local talent which has skills and capacity and 2. appreciation of digital security risks by various industries. It seems like nothing much has changed. How do we take it forward?
On Mon, Jul 21, 2014 at 8:22 PM, John Kariuki via kictanet <kictanet at lists.kictanet.or.ke> wrote:
Matunda,Listers,You are right.Breaches on cyber security need serious attention.
The ICT Policy in 2006 summarized the matter as follows:
"Electronic Security: The challenge is for the country to establish an adequate legal framework and capacity to deal with national security,network security,cyber-crime and cyber-terrorism; and to establish mechanisms for international cooperation to combat cross-border crimes.An e-security structure will be developed in collaboration with the relevant institutions." Since 2006, matters the situation has become even worse than envisaged at that time due to increasing use of on-line services and Broadband Networks.
John Kariuki
On Monday, 21 July 2014, 17:38, Matunda Nyanchama via kictanet <kictanet at lists.kictanet.or.ke> wrote:
On this score, I have made some observations:
- our people don't take seriously such breaches; I read an attitude of this sort: "it is a small irritant that will come." This is especially so for the public sector but also (to a small extent) private sector. Indeed, organizations like banks can afford to underwrite huge losses through marginal variation in interest rates.
- there is no concerted effort to develop needed skills in this area in order to tackle/forestall such problems. With such skills in mind we would design, implement and continually monitor and respond to incidents based on best practices. (Note: there are no guarantees that one won't be hacked but one can minimize such damage as: reputation, loss/modification of information, etc.)
- we seriously need leadership in this space nationally (both in public and private sectors); if there exists any, it is not felt. Such leadership would be evangelistic in nature pushing for appreciation of such risks and how to deal with them. Such awareness would raise concern (hopefully) and thus assure allocation of commensurate resources (people, money, technology, etc.) to confront the problem. (NB: my experience in North America tells me that this area is very much underfunded and whatever little funding comes through would be spent on easy to acquire stuff like CCTV ... some installed without requisite processes, skills, etc for maximum gain (ROI) ...)
- many technology managers (and many others in management) treat security with obscurity. Keep things obscure and profess security. I once was in a discussion with a senior official in GoK and heard things such as: we cannot disclose what measures we have taken to protect government information because the same can be used by you people to target us! He failed to appreciate that you can still be hacked with use of known reconnaissance approaches. OK: if you really want help, get some of our top talent, give them security clearance and allow them to build robust systems that assure security.
- a friend recently gave the story of a manager (a protege of top management) that kept his job, protected by his benefactors but who many knew wasn't performing. This manager could continually avoid bringing in talent that might help him but which talent may also expose his failing! Only when the organization was hit and top management embarrassed with loss (material, reputational) did they hire an external consultant whose report exposed the manager's fraud that he had perpetuated for years on end! ... long story short, he was given a soft landing, and slowly eased out of the organization. ... Lesson: get the right talent and skills for the job if indeed you are committed to delivering in your mandate.
BTW: we are into consulting and training in this area. I know of bids we have lost on (despite presenting the best technical proposals) because of other considerations. Your guess is as good as mine as to why, but don't be surprised to have some "wired/connected" individuals winning security assignments but which they can't deliver on; and if they do, the result would be sloppy and why ... because they engage unskilled people ....
- Finally (for now), the compliance regime is extremely weak! I know a thing or two about the Auditor General's office and information security skills isn't one of their strengths. The focus on financial audit (recently they reported Kshs 300 + billion unaccounted for) takes all the attention while other aspects go unattended: critical infrastructure protection, ICT specification/acquisition/deployment/management/.../disposal ... all go unattended.
... there is a lot to say; let this suffice for today.
----------------------------------------------------------------------------------------------
Matunda Nyanchama, PhD, CISSP; mnyanchama at aganoconsulting.com
Agano Consulting Inc.; www.aganoconsulting.com; Twitter: nmatunda; Skype: okiambe
----------------------------------------------------------------------------------------------Manage your ICT risks! We are the experts you need! The trusted partners you deserve!Call: +1-888-587-1150 (Canada) +254-20-267-0743 (Kenya) or info at aganoconsulting.comLicensed by Communications Commission of Kenya (CCK) ----------------------------------------------------------------------------------------------"The best revenge is massive success" - Frank Sinatra-----------------------------------------------------------------------------------------------
This e-mail, including attachments, may be privileged and may contain confidential or proprietary information intended only for the addressee(s). Any other distribution, copying, use, or disclosure is unauthorized and strictly prohibited. If you have received this message in error, please notify the sender immediately by reply e-mail and permanently delete the message, including any attachments, without making a copy. Thank you.
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/ngethe.kariuki2007%40yahoo.co.uk
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
--
Best regards.
Patience is what you admire in the driver behind you, but not in the one ahead.
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20150722/fed87c9a/attachment.htm>
More information about the KICTANet
mailing list