Monday, October 20, 2008

Are Your Employees Security Conscious?

Many organizations compartmentalize Information and Communication Technology security by restricting its function to the IT department.

A crucial component of information security is the user or employee. Employee sensitization is important because no matter how good the procedures are, employees are usually the weakest link and provide vulnerable access points.

The use of personal memory disks and external hard drives poses a threat to an organization’s information system. Employees also download unsafe programs onto work computers and in the process disable systems designed to protect them.

Virus infections are a potent threat due to the exchange of unauthorized files through a company’s network. For instance a traveling salesman uses a company laptop that he works from when in the field. As the laptop is only infrequently connected to the company’s laptop, its anti-virus update is bound to lapse. When the salesman returns from the field and connects it to the company intranet a virus can be spread before the latest update can be applied.

Employees as a baseline should receive Information Security Staff Handbooks and should sign acceptance of corporate policies and acceptable usage conditions. However, these documents are not very effective and should be supplemented by other initiatives.

These can include the following. Compulsory information security training for new staff using mixed media such as computer based training, video and PowerPoint formats. Security awareness should also be conducted to all staff, newly joined or existing, so as to understand the importance of information security and their individual responsibilities.

Employees should also be supplied with security awareness materials such as intranet pages, brochures, posters and identity badge clips with security messages

Annual mandatory testing of Information Security awareness along the lines of training and time constrained examinations should be conducted.

Regular news bulletins should be given to staff about the importance of information security particularly when security breaches make news.

Employee action, deliberate or accidental, can potentially result in serious information security issues such as virus infections. Staff should be provided with education on the firm’s Information Security Policies and Procedures constantly.

The key to success also depends on the commitment of senior management to funding, developing and implementing security awareness among employees. Delegating this function to middle managers is not sufficient. Senior managers should also address significant deficiencies immediately and demand constant monitoring of the company’s security infrastructure.

Are Cyber Crime Laws in Kenya Adequate?

Various countries have introduced legislation that directly deals with cyber crime while others have reformed and modified their existing criminal laws to include this emerging crime.

However many countries do not have adequate legislation that addresses cyber crime and this includes Kenya. Cyber crime laws, for example, protect certain rights and assets such as privacy and identity by rendering illegal the interception and unauthorized access to digital data and resources privately owned.

They also provide legal frameworks that assist cyber crime investigators in achieving successful prosecutions. The United Kingdom for example has introduced various legislative initiatives over time, meant to specifically address cyber crime. These include the Computer Misuse Act (1990), the Criminal Justice and Police Act (2001), the Police & Criminal Evidence Act (1984) and the Regulation of Investigatory Powers Act (2000) among others.

In the USA, legislation has also been introduced to combat cyber crime for example the Patriot Act (2001), Homeland Security Act (2002), Prosecutorial Remedies and Tools Against the Exploitation of Children Today (PROTECT) Act among many others.

The absence of an integrated cyber legal framework in Kenya provides a great challenge to local cyber crime investigators and digital evidence gathering efforts.

The ICT Bill 2008, which will be tabled in Parliament once it reopens, commendably addresses cyber-crime and electronic transactions. It outlines a number of new electronic offences and prescribes the minimum/maximum punishment to be meted out on offenders. These offences include unauthorized access to computer data and access with intent to commit offences.

The ICT Bill 2008 (in the Fifth Schedule) notably mentions electronic evidence. In sum it defines electronic evidence as any information contained in an electronic record which is printed on a paper, stored, recorded or copied on optical or electro-magnetic media produced by a computer.

What the bill has, however, failed to recommend and spell out is the legal process of cyber crime investigation and digital handling in Kenya. This is absolutely necessary because it translates to the rate of successful prosecutions. This issue is especially relevant to our investors, for example call centers, which need a legislative umbrella that safeguards their operations (i.e. identity details and data handling).

The ICT Bill 2008 is long overdue and its tabling now is a damning indictment of our legislative process.

Technology is rapidly permeating our social and economic fabric. It is fundamentally altering past business and social processes that require current regulatory and legislative controls, for instance M-Banking.

Future ICT legislation and resultant amendments in existing Acts must not be reactive to the vibrancy of the industry. The relevant authorities must specify and instruct a specific body to constantly develop relevant ICT legislation for example the ICT Board or the Communications Commission of Kenya.

Are the Smart Cards we carry Secure?

Chip cards have become an indispensable part of us. You will most likely be carrying an ATM, Credit or Fuel card in your wallet or purse. These cards contain an integrated circuit or 'chip' which gives the card the ability to store and/or process data and thereby achieve its designed function.

There are three types of chip cards. The first one is the memory (or flash memory) card which contains storage but no processing or significant security capabilities. These cards are used in digital cameras, handheld computers, mobile phones and other electronic devices.

The second type of chip card is the smart card. It contains a processor and system or application software. Permanent data is engraved into non-volatile memory and some volatile memory is used as a working storage area. They are widely used. Examples include Credit or ATM cards, SIMs for mobile phones and authorization cards for pay television.

Smart cards are further divided into contact and contactless. Contact smart cards have a gold plated contact area that is inserted into a reader that reads and writes information from the chip, for example an ATM card.

Contactless smart cards, on the other hand, only require close proximity to an antenna to complete transactions and use RFID (radio frequency identification) technology. They are often used in transactions that must be hands free or processed quickly. Examples include door access cards, some supermarket discount cards or mass transit cards like the Oyster Card that is used in the London Underground.

The third type of chip is the super smart card which is a card with a small key pad and display. These cards are expensive to manufacture and therefore rare.

Security

Smart Cards do not have guaranteed security. Incidents of card ‘cracking’ have been widely reported. Cracking a contactless smart card would, for example, involve scanning a card with the intention of collecting a cryptographic key. This key is used to keep the card system secure. The scanned key is then uploaded into a laptop which technically becomes a portable card reader. This laptop is then used to wirelessly upload information from other similar smart cards. This information is then used to program new fake cards.

Cracking contact smart cards (for example your ATM card) is achieved through the use of a hacking software program and a card reader/writer. In this instance access to your card is crucial, even if for a short duration.

Card readers are widely used to scan credit cards in retail outlets and it is advisable to be present during the credit card payment process.

Organizations that use smart cards for access control are also vulnerable. To reduce the risk of card cloning it is advisable to combine the smart card process with a biometric authentication feature for example the fingerprint.

The multiple smart cards we are carrying provide motive and opportunity for a cyber criminal. Utmost care should be taken in ensuring only authorized people can access these cards. Upon loss or theft one should immediately report this occurrence to the relevant authorities.

It is time Kenyan Firms adopted Online Biometrics

Many Kenyan companies are slowly becoming more and more reliant on the Internet to transact business. In the financial sector, specialized systems allow clients of stock brokerage firms to invest and monitor their shares and asset portfolios. These systems also analyze financial data that helps Kenyans make better investment decisions.

The systems are reliant on the Internet and this medium is a source of apprehension due to its insecure nature.

Apart from securing the medium and the data that is transported on it, it is important for computer users to adopt techniques that would contain online financial fraudsters. This containment would instill confidence in our burgeoning e-commerce sector.

One technique that holds promise is biometrics. Biometrics in computer security refers to authentication techniques that rely on measurable physical characteristics that can be automatically checked and verified.

These types of biometric identification schemes include the analysis and use of facial, fingerprint, hand geometry, retina, iris, written signature, vein and voice characteristics. These schemes are digitized and stored in information systems.

Biometric identification is been adopted as a secure identification process in financial transactions over the Internet and is destined to play a more critical role in the Kenyan e-commerce sector.

Biometrics would, for example, include a fingerprint scanner on which you place your fingerprint to determine your identity. Instead of submitting your Identity Card to the teller in your bank, you would instead use the fingerprint scanner to establish your identity.

Your scanned fingerprint would have access levels that could for example include the ability to use credit card information to make electronic purchases. Modern laptops have integrated fingerprint readers that protect data against would be intruders.

Biometrics would be appropriate for small businesses that cannot risk having their financial transactions that are conducted over the Internet compromised.

Another way biometrics is useful is when an online fraudster’s identity can be established from schemes previously stored in databases. The importance of biometrics in future computing is evident.

Online financial fraudsters will attempt to circumvent these biometric identification schemes by for example using digitized sound recorders to gain illegal access to an online bank account.

Identification and apprehension will be much easier with biometric schemes in place because information systems will adopt biometric identification faster and the fraudsters will be forced to submit their identification schemes so as to gain access.

In this way local cyber crime investigators will be able to instill confidence in our local e-commerce sector because they will be using advanced investigatory techniques to apprehend online financial fraudsters.

Is M-Banking Safe?

One of the readers of this column recently stated to me that Kenyans worry more about the safety of their money than anything else. This is arguable but there is a ring of truth to it and the advent of Mobile-Banking has raised some fundamental security questions.

Various discussions on the potential risks of M-Banking have been conducted in the media due to some recent developments. M-Pesa and Sokotele are transferring huge amounts of money wirelessly.

Equity Bank and Pesapoint have joined the wireless fest.

This situation obviously raises questions on whether the technical, legal and regulatory frameworks exist to protect consumers of these services.

It is clear that technology has once again leapfrogged our lethargic legislative and policy institutions.

We have a myriad of wireless networks existing today. They include Wireless Data Networks (WDNs), GSM (Global System for Mobile Communications), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), UMTS (Universal Mobile Telecommunication System) among many others.

Wireless networks are inherently vulnerable and this includes GSM. Cyber criminals are able to monitor wireless traffic to determine, control and manipulate signal, bandwidth, leakage patterns and so forth. They also engage in mobile sniffing where a vulnerable access point/backdoor is identified.

Popular sniffer tools include Air Crack, Air Snare, Kismet, Arpspoof, Air Magnet etc. Most of these tools are open source and freely available. These sniffer tools are able to scan and detect MAC addresses, authentication tokens, Service Set IDs (SSID), names, signal strength, channel and other features. With time a wireless map of all vulnerable access points is constructed and discreetly distributed on the internet.

The potential for external and internal fraud is ever-present and our mobile service providers have obviously implemented various technical security measures for example encryption of the traffic across the air interface. This encryption is difficult to crack because these encryption keys change every time the authentication process is performed.

Knowledge and vigilance are formidable allies for M-Bank users. It is advisable to familiarize yourself with these wireless technologies and how they are categorized by function, frequencies, bandwidth, communication and security protocols.

It is also crucial to acquaint yourself with the legal and regulatory structures, however inadequate they presently are.

Mobile telephony providers are obligated to employ the most effective technical security measures so as to protect consumers of their services. It is not enough to swiftly roll-out services and make monetary windfalls.

The security challenges of M-Banking are not only technical. Agents are averse to keeping large sums of money in their premises lest they are robbed.

Despite these challenges M-Banking is a technological development that has provided substantial positive opportunities to Kenyans. It should therefore be safeguarded as rapidly develops throughout Kenya.

Safeguarding Ourselves from Mobile Telephony

Mobile phones are a relatively recent phenomenon and are used for both personal and professional purposes. These phones are highly mobile communications devices that perform an array of functions ranging from simple voice communication to running computing processes.

Advanced mobiles provide the ability to connect to the Internet and surf the Web, perform multimedia messaging, exchange e-mail or chat using instant messaging.

These capabilities have inevitably resulted in mobiles been used to commit cyber crime. Their universal access offers opportunity and motive to the cyber criminal(s).

Advanced smart phones that provide access to the internet are also used to access pornographic content by underage youth. Designed for mobility these phones grant unique exclusivity and privacy to anyone who possesses such a device. Explicit images can therefore be transmitted through multimedia messaging and thereby circumvent parental and legal controls.

As mobile technology matures we need to question the security of mobile communications and identify the associated risks. This is particularly true in the areas of access to pornographic material by minors and m-banking. There is no silver bullet that can be applied to control the access and transmission of offensive material through mobile telephony.

Parents and guardians are strongly encouraged to speak openly with their children about online explicit material that can be accessed through mobiles.

Education is the first line of defense we can provide to youngsters. Mobile service providers must be active partners in this sensitization process.

It is technically difficult to regulate mobile usage and access. It is however easy to obtain evidence of illegal activity from the specific mobile and network. The following contents of modern mobiles can have value as evidence: IMEI (International Mobile Equipment Identity), short dial numbers, text messages, stored files, programs and audio recordings, logged incoming calls and dialed numbers and GPRS, EDGE, WAP and Internet settings.

M-Security has yet to be embedded into our mainstream policy and legislative frameworks. M-security refers to the policy, technical, managerial and legislative safeguards applied to mobile systems and data to protect organizational and personal privacy. The absence of these frameworks has for instance meant that it was difficult to prosecute the senders of SMSs that were used to inflame tension and incite ethnic hatred early this year.

Inhibiting offensive materials such as pornographic material and hate messages is extremely hard to enforce. Safaricom for instance has about 5 million SMSs being sent by their subscribers on an average day. Determining the source of an explicit SMS from this number is nearly impossible. The imperative is therefore on us to educate the vulnerable members of our society on how to safeguard themselves from the dangers of mobile technology.

Education is the only key.

Understanding Computer Forensics and its Role in Kenya

Safeguarding the Kenyan cyber highway from virtual fraudsters and other malignant cyber characters is vital. Our dependence on ICT is steadily growing and is present in many different aspects of our lives e.g. public utilities, communications (mobile telephony e.g. Safaricom), financial institutions (ATM’s), medical (diagnostic equipment) and others.

Our digital networks are foundations for our future development. These networks might be corporate Local or Wide Area Networks or home based wireless networks. These digital resources need protection due to the valuable information that traverses them. They are however vulnerable to illegal intrusion and penetration.

ICT Security involves the implementation of safeguards that protect against this intrusion, mishaps and mistakes. These safeguards include: physical security, operational security, information security, disaster recovery, access control, cryptography, auditing, laws and ethics.

The motive here is to prevent a breach. A simple analogy would be the multiple security locks and alarm systems installed at homes to enhance domestic security.

Computer Forensics on the other hand involves the detection and investigation of criminal activities committed online, after the breach or intrusion has occurred. To achieve this, the process of evidence gathering is fundamental. Note that computer forensics and security differ in definition and function though they are fundamentally complementary.

Locard’s Principle of Exchange states that any person who enters a scene of crime leaves something behind and takes something from the scene with them. This applies to the physical and digital realms.

Forensic computing entails the use of sophisticated and modern technological tools and procedures that must be followed to guarantee the accuracy and preservation of digital evidence and the accuracy of results concerning computer evidence processing.

Due to the special characteristics of digital evidence it is necessary to consider it separately and with special consideration.

Evidence comes in two forms, physical and digital. Physical evidence will for example include the computer the crime was committed against or used, peripherals, mobile devices and other physical storage devices like DVDs, CDs, memory pens, paper evidence, documentation and others.

Digital evidence will on the other hand include deleted files, registry entries to the internet history cache, automatic word backup files, e-mail headers and instant messaging logs which give clues as to the intermediate servers through which information has passed through. Server logs also provide information about every computer accessing a web site.

Computer forensics is a vital component in combating white collar crime, child pornography and other malicious crimes. ICT technology has already permeated our society. It is only logical that we develop the attendant capacity to detect and investigate cyber-crime. Our limited expertise is already costing us and the rampant growth of child pornography at the coast is example enough that Kenya needs to develop computer forensic capacity.

Protecting our Youth against Child Pornography

The Internet has brought with it immense contributions to our society. In the educational, economic and social areas much has been gained through easier researching, faster financial transacting and near limitless communication.

However, its darker side is now evident. The CCI Wednesday Magazine recently exposed the alarming growth of child pornography at the coast. This crime has continued unabated in our midst due to the fact that as a country we are ill-prepared to combat cyber crime.

Child pornography is defined as a visual depiction of any kind, whether made or produced by electronic or other means that depicts a child or minor engaging in sexually explicit conduct.

This reprehensible crime is increasingly ensnaring more minors who are under 18 years of age. These are legally recognized children who find themselves in the clutches of online sexual predators.

It is important to realize that the lives of children featured in these illegal productions are forever altered, not only by the molestation but by the permanent record of the abuse.

It is hard to detect child pornography due to the anonymity found in the internet. The distribution of exploitative images of children is conducted through home-computer technology.

This technology has revolutionized the distribution of these images by increasing the ease and decreasing the cost of production and distribution especially across international borders.

Computer technology has transformed this once fringe activity into a booming and sophisticated global cottage industry.

People who produce, distribute and possess child porn images are usually multiple offenders who usually sexually victimize children.

Apprehending these sexual predators is difficult and needs a radical realignment from our law enforcement agencies.

Applying traditional investigation techniques to combat child pornography will not dent this nefarious crime. Online sexual predation demands skilled digital investigation where undercover investigators can pose online as minors and identify the offenders who are victimizing innocent Kenyan children.

Financial resources should be allocated to setting up a High-Tech Crime Unit within the Kenyan Police Force. This unit should be mandated with the task of ferreting out online sexual cartels that have taken root in our country.

Funds are required to finance computer forensic labs, train officers, purchase software and hardware equipment, logistics and finance legislation that curbs child pornography.

Global liaison is an area that also presents a challenge to child pornography investigations and would be an area of urgent concern for a local cyber-crime unit. Trans-national sexual predation has emerged as a mounting problem due to the global nature of the internet.

While international child sexual predation is by no means a uniquely modern phenomenon, the global nature of cyberspace significantly enhances the ability of child sexual offenders to commit crimes in Kenya which will affect individuals in a variety of other countries.