<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:bookman old style,new york,times,serif;font-size:10pt">Friends,<br><br>On the recent hacking of the Kenya Police website, here is what I posted on the <font style="font-style: italic;" face="Tahoma" size="2">Security List <security@lists.my.co.ke><span style="text-decoration: underline;"><span style="font-style: italic;"><span style="font-weight: bold;">,</span></span></span><span style="font-style: italic;"></span></font><font face="Tahoma" size="2"> although for some reason it hasn't shown up on the list.</font><font face="Tahoma" size="2"><br></font><div><br></div><div style="font-family: bookman old style,new york,times,serif; font-size: 10pt;"><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Tahoma" size="2">----- Forwarded Message ----<br><b><span style="font-weight: bold;">From:</span></b>
Matunda Nyanchama <mnyanchama@aganoconsulting.com><br><b><span style="font-weight: bold;">To:</span></b> Security List <security@lists.my.co.ke><br><b><span style="font-weight: bold;">Sent:</span></b> Wed, January 19, 2011 7:21:18 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Police Website Hacking<br></font><br>
<div style="font-family: bookman old style,new york,times,serif; font-size: 8pt; color: rgb(0, 0, 255);"><font size="2">Friends,<br><br>I think this is a great opportunity for information protection professionals to step up and help government better protect its information assets. Remember: this government is much our own as it is of those that make decisions. Out here Canada, some people are pointing at me saying: what security professional can't step up to reduce the embarrassment and (possible) espionage when their government sites are hacked!<br><br>But conversation must a 2-way process and needs to happen us professionals and those in government.<br><br>We could help in this respect:<br></font><ul><li><font size="2">Do a <span style="font-weight: bold;">current state assessment</span>, including understanding what damage has been caused so far and what be happening "under the
hood". The hack is what became public. We don't know what else may be happening. I can bet that government servers are possibly on some international botnet rings where hackers (including spies - <a rel="nofollow" target="_blank" href="http://www.information-age.com/channels/security-and-continuity/news/1014087/investigators-find-chinese-botnet-on-dalai-lamas-pc.thtml">here is an example</a>) may be collecting GoK information. The proposed assessment would look at everything from people to processes to technology and how these have been structured to protect government information assets.</font></li><li><font size="2"><span style="font-weight: bold;">Future state design:</span> this is where the government security management would wish to be in the future</font></li><li><font size="2"><span style="font-weight: bold;">Gap analysis:</span> what those gaps are and what are the priorities between current state and future state of security in government. My
guess is that there are major gaps in skills (technical and management); technology may be there but is poorly deployed and managed (caring and feeding, e.g. monitoring, patching,
etc.); processes may be poorly designed and implemented: ....</font></li><li><font size="2"><span style="font-weight: bold;">Roadmap to secure state:</span> based on priorities we would design for them a master security plan to follow, including strategy, a proper security organization staffed with people with right skills and requisite mandate; technology infrastructure deployment and processes for managing things: people, processes and technology + associated accountabilities.<br></font></li></ul><div><font size="2"> I hope they take this offer, if they haven't started working on it already.<br><br>Over to you!<br></font></div><br>----------------------------------------------------------------------------------------------<br><span style="font-weight: bold;">Matunda Nyanchama, mnyanchama@aganoconsulting.com</span><br style="font-weight: bold;"><span style="font-weight: bold;">Agano Consulting Inc.; </span><a rel="nofollow"
style="font-weight: bold;" target="_blank" href="http://www.aganoconsulting.com">www.aganoconsulting.com</a><br>----------------------------------------------------------------------------------------------<span style="font-style: italic;"></span><span lang="EN-CA"></span><style><!-- _filtered {font-family:"Book Antiqua";panose-1:2 4 6 2 5 3 5 3 3 4;} p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Book Antiqua";}p {margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:"Times New Roman";} _filtered {margin:1.0in 1.25in 1.0in 1.25in;
}div.Section1 {}--></style><i style=""><span style="font-size: 10pt;"><br>“If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.”</span></i><span style="font-size: 10pt;"> - George Bernard Shaw</span> <br>-----------------------------------------------------------------------------------------------<br><font size="1">This e-mail, including attachments, may be privileged and may contain confidential or proprietary information intended only for the addressee(s). Any other distribution, copying, use, or disclosure is unauthorized and strictly prohibited. If you have received this message in error, please notify the sender immediately by reply e-mail and permanently delete the message, including any attachments, without making a copy. Thank you.</font><br><div><br></div>
</div></div></div>
</div></body></html>