On May 19, Internet Solutions (IS) and Africa Practice hosted a forum on internet security at Intercontinental Hotel for large corporate customers of IS. Speakers included Loren Bosch sales director East Africa at IS, Jason Finlayson of Security Risk Solutions and Collin Mamdoo C. O. O. for East Africa (twitter @collincrm) at IS.
Loren introduced Internet Solutions (IS ) which provides a holistic security solutions which include (they are) cloud-based (hosting, security, back office) connectivity (VPN, fixed & mobile broadband), communication (voice, video, hotspots), and carrier (satellite, last mile fibre & wireless) services In terms of fibre they are a big investor in the Seacom cable. Loren mentioned that most Kenyans experienced a week of slow internet in April 2010 as maintenance work was carried out on a cable that links both the Seacom and TEAMS cables to Europe; however their clients were not affected as IS is also linked via West Africa’s SAT 3.
Jason whose company Security Risk Solutions provides security risk solutions (assesses risks, investigate, fix, help prosecutions etc.) in Kenya and Uganda talked about the state of internet security in Kenya terming it immature, the country has not been exposed to cyber crimes, until now. Kenya has enjoyed security by obscurity as slow network speeds kept the country off the radar and limited the ability to tamper with computers here, – until now with the advent of fibre cable Kenya which mean much faster speeds.
- Weak in security architecture, processes, and crisis solutions which are all relatively new /immature. There is no regulatory framework to protect customer information, no regulatory compliance, no privacy laws, and big companies are struggling with IS basics.
- CCK is yet to set up a computer emergency response team (ERT) though it is has been budgeted for. Also, our cyber police unit was disbanded two years ago (but has recently been re-activated) and the police do receive some training – while neighbour Uganda Police has an actual electronic counter-measures unit.
- Perpetrators’ are sometimes prosecuted for fraud, but not for hacking or other lesser computer crimes
Its going to get worse in the short run with better fibre speeds and employees with laptops and internet access at home, but do large companies care about security?
- Fibre has brought broadband access and many opportunities for Kenyans, but while fibre means we can do anything, people can do anything to you i.e. (banks/corporates)
- Corporates are aware of this, but often don’t have the budget to implement, or the knowledge disseminated across. The Central Bank of Kenya tied to mandate all banks to have BCP’s a few years ago, but many just downloaded from the net and put their logo on them.
- Computer viruses spread much faster now. In 2009 one virus infected 12 million computers worldwide in 24 hours. And with better access, we can expect more phishing attempts in Kenya – already in South Africa, in the first four months of 2010, they have shut down 400 phishing sites.
- The FBI report on the top 10 sources of computer wrongdoing is headed by the US and UK, but with 4 of the top 10 countries being in Africa (Nigeria, Cameroon, Ghana, South Africa), the odds are that in two years, Kenya will join this infamous list
Also Symantec’s 2009 report for top attacks listed common ways of malicious attacks such as suspicious PDF’s vulnerability of Internet explorer and media player. Symantec have set up honey pots in Kenya to better study these attacks from 2010. [source report]
SRS found internet security risks at three levels:
- People: weak passwords easily deciphered by hackers, staff use portable media, accept social invitations to download files/attachments, share USB sticks, and are vulnerable to social engineering, etc. an example was given of a tester sitting at an empty desk of a worker, calling the IT department and having a password reset over the phone giving them access.
- Processes: no app segregation, no use of audit trails, poor controls/security standards. e.g. bank that lost money to fraud had assigned the system admin user name to 50 people
- Technology: companies remain vulnerable because they don’t install patches e.g. to Internet explorer/other popular software some of whose fixes have been around for years. Besides poor patch management, employees now access networks from multiple locations and use more social media at the workplace.
- Limit systems privileges
- Turn off /remove some internet services
- Test security regularly and practice emergency drills
- Have intrusion detection systems
- Install patches
- Train employees and train bosses
- At the worst companies can pull ban computers or block social media, gmail/hotmail, but that will hamper service delivery.
He ended with a quote attributed to a Toyota executive who said that there is no perfect security, only appropriate levels of insecurity
Colin summed it up with a report on new vulnerabilities in the systems
- Social media attacks will be the story in 2010 e.g. hackers using invitations through twitter, skype facebook
- Not just computer but also physical e.g. men in south Africa kidnapping girls they had ‘met’ through MixIt
- SMS attacks – He landed at Nairobi airport and got an SMS from his Zain line that he had won Kshs 250,000, all he had to do was reply to a number to collect his money
- Attacks across different platforms – while Microsoft is the most hit platform, others like Mac are also being targeted e.g. vulnerabilities have already been reported with the new iPad
- Faster spreads – e.g. zero day viruses. As soon as a vulnerability is found, hackers exploit it before a patch can be availed. More hacks? There are videos on youtube that teach newbie’s how to hack
- Security needs to be multi-layer, firewall, anti-viruses, mail filters etc.
- Inside attacks: worst threats /most serious are from disgruntled employees with technical and process know-how within companies – solution? Pay them their bonuses
EDIT: Pal Kahenya is looking for the best hacker in Kenya and has offered a prize of Kshs 100,000 (~$1,300) to the winner of his challenge.