Will Kenya be spared as hackers seek out government secrets?
Companies are confronted with the increasingly difficult task of safeguarding their expanded digital estate against rising cyber threats. PHOTO | PHOTOS.COM
Got in and all I could think about was Zuckerberg! This is for you Mark!
This is the message — in reference to Facebook’s founder—that flashed on computer screens any time someone attempted to log onto the Kenya Police official website last month after it was hacked into.
But this is not the only website in Kenya that has been hacked into and it will not be the last.
The shift to e-government and increased Internet use has opened an amusement park for hackers.
Kenya has now joined the many developed countries battling to keep secrets safe.
Government data leaks have wrecked international relations with the latest being the diplomatic cables released to the world by Wikileaks, catching several countries — including Kenya — flatfooted.
For most governments and organisations the fear is that the confidential information stored in computers or data centres or an electronic gadget could soon be in the limelight.
With the adoption of e-banking, financial institutions are facing threat as hackers devise ways to steal money.
So what is Kenya doing to shield its well-guarded secrets? No much...according to ICT experts.
Lack of policy
Microsoft head technology strategist for East and Southern Africa Paul Roy Owino said: “The government is more concerned with acquisition of equipment as opposed to investing to ensure that the information held therein is secure. Unless you have a framework in place that governs the use and access of digital material, the vulnerability levels will remain high and with dire consequences if exploited.”
The lack of a clear information access and use policy in the Kenya’s major institutions further worsened by lack of technology-savvy employees are largely to blame for the increased incidents of breach, he said.
Mr Owino said he was aware of over 15 attacks in the recent past, but not much has been said about the leaks.
Kamunyu Kahenya, an IT specialist and website developer said cyber crime in Kenya is still poorly documented for the same reasons that banks fail to divulge the true amounts of money lost through fraud; protecting the institutions’ image.
But the Ministry of Information Permanent Secretary Bitange Ndemo says the hacking in the country is not as dire as some experts are portraying it.
Government ministries have a June deadline to digitise their records —the objective being to increase efficiency of operations and also reduce processing times.
“We are 80 per cent done with actualizing full operation e-government in all ministries,” he said.
According to experts, government institutions fair worse than their private counterparts in e-crime war because of lack of skilled personnel, failure to consult experts and absence of proper antivirus and antimalware software as their first line of defence.
“Holding consultations with the relevant experts is essential in as far as testing the strength of a system goes. This is done through a technical method called penetration testing which involves hiring of external pseudo-hackers to try and illegally gain access into your system as a proactive measure”, Mr Owino said.
ICT experts say the government’s security is under threat if more is not done to tame hackers.
Following the Kenya Police website attack, the government came up with two strategies which industry experts call reactive and will help in the long-term.
Dr Ndemo said a special unit to monitor and prevent future occurrences was formed to investigate the police website take-down.
The Computer Security Incident Response Team (CSIRT)will receive, review, and respond to computer security incident reports and activity.
According to the PS, plans are in place to consolidate all government servers as opposed to having them situated at different locations.
This was being done to allow for easier and cost effective monitoring of all information from this location.
He said the government plans to collaborate with experts from United States to reinforce CSIRT which has been tasked with monitoring their data centres and websites and rectifying any damage that may result from attacks.
But, a source, whose company offers data protection to several banks in the country, said placing main servers at secluded location that can only be accessed by certain individuals is still an exercise in futility if protection levels are still below proper standards.
With the availability of affordable broadband services changing the Internet security threat landscape in the country, Mr Kahenya, said that companies preoccupy themselves with preserving their outlook towards their customers, and this forces them to handle the matters internally; rarely reporting these cases.
“A lot of the bigger organisations and governments rarely give out information in the event of hacking or data theft of loss of personal or corporate information therefore the situation could be much worse than is currently reported. But to the best of my knowledge, there hasn’t been anything of grand scale yet”, he said.
A study carried out by a leading provider of Internet security in the world, Symantec, indicates that of the two-thirds (65 per cent) of Internet users globally have fallen victim to cybercrimes, including computer viruses, online credit card fraud and identity theft.
Of these victims, a huge percentage were not willing to report the infringement to relevant authorities with a further majority believing that no justice will be meted out to the perpetrators if reported.
Symantec spokesman for the West, East and Central Africa region Gregg Gerber said in as much as the increased attacks in the continent are directly related to the expanded Internet penetration, it has been compounded by the fact that more people now have the technical know-how on hacking basics than yesteryears.
Way out
“Widespread attacks on networked computers used to be a task reserved for a rare few hackers – those with an extensive knowledge of programming. However, the advent of attack toolkits has lowered this bar significantly, opening the doors for anyone with a basic understanding of networking and computers to produce threats that exploit vulnerabilities”, Mr Gerber said.
Toolkits are softwares that once installed onto a machine, enable theft of sensitive information and may also convert compromised computers into a network of botnets— automatically running software— and mount additional attacks.
They are advertised and sold in the online underground economy making them easily accessible.
With the increasing threats, banks are looking for ways to keep hackers at bay.
In Kenya, most banks use e-mail encryption systems that make their systems less easy to access with others excluding employees from accessing the Internet altogether, except internal correspondence.
NIC Bank group manager of ICT Services David Igweta said having a well-monitored technical infrastructure in form of well-monitored networks that “prefers to lock out everyone rather than accept anything in” as well as ensuring no test environments co-exist in the same network as the live applications is just the first step in a long journey.
“The bank must formulate detailed policies on user management, data creation, data manipulation and storage. These will address any grey areas pertaining to those functions like segregation of duties for users. The formulated policy should be well marketed to all users so they understand what role they play in ensuring it works,” Mr Igweta said.
“Availability of automated hacker tools that makes a novice computer user look like a seasoned hacker through automation of entire processes of enumeration, penetration and privilege escalation is a big threat. Tools such as Cain can sniff out even secure encrypted passwords if deployed properly,” he said.
He said banks must have a disaster recovery site (s) and this may require them to outsource services of providers to store day-to-day running backups for the bank within a highly secure environment.
One main bottleneck is how to vet computer evidence for use in court while maintaining its credibility.
In the hacking underworld, different names are given to them based on the kind of attack.
Industry players say the ICT environment is a black box to many in the legal fraternity.
