Friday, May 08, 2009

TIME IS NIGH FOR SECURITY SHARING

For the past two decades we have been witness to an electronic revolution. Social functions as we used to know them have been radically turned inside out by technology. Records from bank accounts, tax returns, property registers and shopping transactions have become electronic.

Of equal importance are the mundane everyday systems that have discreetly been automated. For instance burglar alarms are no longer the sirens of yore that woke up the whole sub-location. They instead send silent messages to security control rooms. Locks are no longer mechanical affairs. They are now swipe cards or remote controls.

All these developments have a common fabric. Technology has permeated nearly every sector of our society. Computer security will suddenly mean more to you when almost every electronic device that affects your life is connected to the Internet.

Computer security systems frequently break down and the same elementary mistakes are repeated in one organization after another. These systems apart from failing also just don’t work well enough.

Instances of credit card fraud, identity theft, DSTV pirating and other cyber crimes will become commonplace in Kenya once we get connected through the submarine fibre cables.

Most failures of security systems (computerized or otherwise) can be prevented if security experts had a bit more knowledge of what had been tried, and had failed elsewhere. ICT security technologies (eg. auditing, encryption, access controls and others) are relatively well understood in themselves.

The problem lies in the knowledge and experience of how to apply these technologies in a nascent ICT sector like ours. The rapid computerization that is happening has not given Kenyan ICT security professionals enough time to learn and exchange these lessons.

As a result the same old security square wheels are being applied in most local organizations. The companies that have managed to understand that exchanging security incidents and lessons have been able to reduce their vulnerability.

Within a few years there will be more mobile phones, lifts, refrigerators, electricity meters, burglar alarms and CCTV cameras on the Internet than personal computers. This will require security professionals to think differently.

Knowing what works, and more importantly what has failed, in other organistions is a great help in developing good ICT security practices in Kenya. It is therefore imperative that ICT security professionals develop a forum for exchanging ideas and good practices.

Thursday, April 30, 2009

DO YOU FEAR DEPLOYING ENCRYPTION IN YOUR ORGANIZATION?

The last time we discussed encryption we examined its role in enhancing and protecting personal privacy. This piece continues by discussing why organizations should employ encryption as a priority tool in their security framework.

The current depressed global economy has resulted in a burgeoning market for stolen data.

Companies have, in the recent past, been slow to employ encryption due to various reasons. It used to be hard to set up and would slow network performance. The primary fear was that if a company used encryption on critical data and something went wrong, then that data would be irretrievable.

These concerns were justified then but are no longer relevant today. The first fear we should dispel about encryption is that implementing it is insanely difficult. Enterprise encryption software is now easy to deploy and maintain. You need to first establish how critical data flows through and out of the company. You also need to locate where this data resides. You will then be able to identify who has or can gain access to the data. Deploying encryption in these areas therefore becomes easier.

The second concern has been that encrypted data compromises network performance. This was true when encryption technology was in its infancy. Today’s solutions have been developed to make the best use of available computing cycles. They extensively use background processing to minimize their impact on the network.

It is also widely believed that managing an enterprise encryption solution is excessively complicated. Today’s encryption solutions are centralized and fundamentally simplify the oversight and administration functions.

It is also feared that encryption negatively affects data availability. Encryption does not limit access to data. It will only do so if you encrypt your database without carefully examining your enterprise use patterns. You should determine which critical applications are accessing the database most often. This will help you optimize your encryption solution to remove any bottlenecks or access delays.

Encryption finally invokes one doomsday dread. This is where a technical or staffing problem makes it impossible to decrypt your data. Imagine if the IT manager suddenly leaves the organization in a huff. Enterprise encryption will not leave you in such a lurch. There are double-authentications which require more than one person to access the key. If the key somehow becomes unavailable you can use the built-in restoration tool to decrypt your data. And with the numerous checks and balances that are in the software, any encrypted data can be decrypted and restored without resorting to expensive external consultation.

Encryption is necessary for any company that handles customer details and other critical data. There is now no sensible fear that justifies delaying usage of this crucial defense tool.

Tuesday, April 21, 2009

ARE WE PROTECTING OUR WIRELESS NETWORKS?

Not too long ago applying for a fixed-line phone used to fill one with dread. After being on a waiting list for eons, you would finally get the treasured land line connection. That, however, would not be the end of your troubles. The connection would constantly break down, bills were often wrong and maintenance service was pathetic.

It is against this backdrop that we have readily embraced wireless communication technologies. Cellular networks have experienced phenomenal growth in the recent past. Wireless computer solutions have also experienced substantial demand as we seek to become more flexible and productive.

Dependence on wireless computer networks is therefore increasing. Wireless Local area networks (WLANs) and Wireless Metropolitan area networks (WMANs) that connect several WLANs have become common in Nairobi. People and businesses use wireless networks to send or share data quickly whether it be in an office building or across the world.

Wireless networks are, however, inherently more vulnerable than wired ones. Denial of service (DoS) attacks against this type of network does not require a very sophisticated modus operandi.

These attacks can be launched from within or from outside using widely available standard wireless equipment. They can be carried out by a hacker using a standard laptop equipped with a high output wireless client card and a high gain antenna. There are many other methods of attack and protecting these wireless networks requires the implementation of defensive measures.

Deploying WLAN intrusion detection systems will assist in identifying Dos attacks. Strategically mounting the access points at sufficient height will deter hackers from easily reaching and destroying the access points.

It is also important to aim directional access point antennas towards the inside of the building. This will help to contain the RF (radio frequency) signal.

Making a building as resistive as possible to incoming radio signals is another crucial defensive measure. Installing metallic window tint instead of curtains or blinds can help prevent RF leakage and keep incoming radio signals out. Wi-Fi proof wallpaper and Wi-Fi paint also serve the same purpose.

Implementing the IEEE 802.11w standards that outlines the Protected Management Frames is advisable. WLANs send system management information in unprotected frames. This standard aims to increase security by providing data confidentiality of these frames.

Finally, it is good security practice to carry out wireless audits with the aim of determining how far the RF signal actually extends outside the building.

Saturday, April 18, 2009

COMPUTER GAMES HAVE BECOME SECURITY THREATS

If you encountered computers at an early age then you most likely indulged in computer gaming. Can you ever forget the excitement when you first played Prince of Persia, Wolfenstein 3-D and Doom? Other memorable ones include Counter-Strike and Grand Theft Auto.

Gaming has evolved from solo playing in one computer to interacting with multiple online players from far flung locations. This has spawned a lucrative business with revenues from online games being estimated to be in the billions of dollars. This has obviously attracted cyber criminals.

The rise in massively multi-player online role playing games (MMOGs) has made computer games attractive targets. Crooks are able to exploit the vulnerabilities in MMOGs to commit identity theft and intrusions.

MMOGs require permanent internet connections and this access is used to steal user data from both real and virtual environments.

In these games, players often change or purchase virtual commodities. These may be weapons, clothes, medicine, money or property. The items are bought using real money which is converted into virtual currencies. These virtual funds are attracting crooks. Profits derived from illicit activities are hidden in the game economies of virtual worlds in a new form of money laundering.

Due to the competitive cut-throat business of computer gaming, vendors have overlooked security in their mission to be first to market the next big game hit. The result has been increased vulnerability to data stealing Trojans. These Trojans have the aim of recording user IDs and passwords together with the IP addresses of the servers these MMOGs are hosted. Keyloggers are also introduced which record all keystrokes.

After compromising a player's online account, the online crooks are able to convert the virtual objects and currencies they steal into real money.

Other vulnerabilities that are easily exploited are scripting holes. These are typically found in web applications which allow code injection by malicious users into the web pages viewed by other users. An example would be where you play an online game from a website that has a link to another site that exploits a scripting vulnerability. Upon clicking the line malicious scripts execute in your browser and steal sensitive information like passwords and billing information.

Games that require permanent internet connections and use some form of virtual economies need to be used with caution.

Wednesday, April 01, 2009

ARE YOU PROTECTING YOUR MOBILE DATA?

The power of mobile computing has resulted in tremendous work flexibility and productivity. Tools such as laptop computers and sophisticated mobile phones have allowed us to perform functions that were previously unachievable. You are now able to conduct professional corporate presentations while visiting clients or updating budgets while on vacation among many other work related activities.

Mobility unfortunately has brought new and serious challenges in the areas of corporate security and information privacy. It is now common practice for companies to issue laptops to employees as replacements for their desktop computers. Powerful mobile phones are also provided so as to maintain constant e-mail communication. This has resulted in vast volumes of corporate information being delivered and stored electronically.

A dramatic upsurge of laptop theft has been witnessed in Nairobi. These device losses pose a serious risk to both the owner and company. Personal and trade secrets can easily fall into the wrong hands. Beyond the loss of hardware, the greatest concerns are often the value of data and the unsecured enterprise access available through a company laptop. Corporate data obtained from a stolen laptop can be sold to competitors. Unauthorized access to a company’s customer database can be achieved by use of a stolen laptop. Your personal data can also be used to commit identity theft.

These scenarios demand a layered approach to mobile computing security where data protection is also included. This approach encompasses Compliance, Protection and Recovery.

Compliance is the ability to comply with applicable mobile data protection regulations and to provide an easily accessible audit trail. To ensure compliance, companies must protect data, track the mobile hardware (and their users), provide auditing capacities and maintain historical records. The Kenya Communications Act and the Communication Commission of Kenya’s regulatory framework are good starting points. Non compliance will expose the organization to law suits in the event of data loss.

Protection is the ability to prevent mobile data losses from occurring. Data loss from a stolen laptop can be prevented by encrypting mobile data. Encryption, however, fails to protect sensitive information in cases of internal theft. In instances of external theft, encryption only delays access to sensitive information. To ensure total protection a multi-faceted approach of combining encryption, strong authentication and deployment of asset-tracking software will ensure aggressive protection.

Asset-tracking software tools are able to track and recover laptops that are lost or stolen. They also monitor any changes or disappearances in computer memory, hard drives or peripherals.

Recovery is the ability to recover lost or stolen mobile data, to retrieve lost or stolen devices and return them to the control of the organization, and to facilitate prosecution. Companies should have in place procedures that include law enforcement officials in the recovery of these devices. A fully functioning Cyber-Crime unit of the Kenya Police would be able to increase the asset recovery and prosecution capacity. Subsequent prosecution would act as a powerful deterrent against future theft.

This multi-layered approach will go a long way in ensuring that mobile asset and data protection controls are in place and reduce the exposure of legal action due to device loss.

HIGH TIME WE INTRODUCED A POLICY TO PROTECT OUR SURFING CHILDREN

Computer usage by our children in our primary and secondary schools has become commonplace. Computers have also become familiar in private and public libraries. Nurseries have not been left behind either, albeit only a few upscale ones provide computer instruction to toddlers.

Introducing this technology to our children at an early age is recommended because their adult lives will be synonymous with technology.

In the near future access to the internet will become cheaper in Kenya. This will enable most schools to provide full time broadband access to their students at a subsidized rate. This access will mean our children will have access to all shades of digital material.

Time is nigh for us, as a society, to develop an internet safety policy that will ensure educational institutions and libraries have technology protection measures. These measures must be tied to government funding or licensing.

Waiting for legislators to introduce this initiative would be akin to waiting for Godot. Educational institutions should also not be left with the sole responsibility of implementing safety measures. Parents should be ready to develop and enforce this policy as an additional component of sound parenting.

An internet safety policy, that specifically targets schools and libraries, should include measures that block or filter internet access to pictures that are obscene or harmful to minors and teenagers.

These institutions must prove compliance by educating minors about appropriate online behavior, including cyber bullying awareness and response and interaction with online individuals on social networking sites such as Facebook or MySpace.

Educational institutions should also be required to restrict minors’ access to materials harmful to them. They should limit unauthorized access, including hacking and other unlawful activities by minors online.

There are software tools out there that can enforce these measures. These tools offer complete protection from internal and external threats for instant illegal P2P file sharing, data leakage, data loss and more.

Schools can be able to implement software that offers content monitoring and complete visibility into individual users, allowing them to protect minors and students while securing the institution from issues of legal liability.

The computer and the internet have become rapidly growing tools that enable children and adults to instantly access information and resources. It is also a powerful communication medium. It is our duty, as parents, to ask whether the schools our children attend have implemented basic computer and internet safeguards.

Not to be forgotten is the role of parents at home. It is common for parents to assume that rules are being adhered to when in actual fact they are not. There is also an assumption that rules are not needed when they are.

Rules and regulations in educational institutions should be in tandem with the ones at home. We cannot afford to be lax on this issue of protecting our children from the dangers of the computer and the internet.

Parents must learn to protect their children from the array of undesirable digital content both at school and home.

SHOULD YOU PUBLICIZE YOUR SECURITY VULNERABILITIES & BREACHES?

Many local companies experience IT security breaches and keep mum about it. A breach is a rupture, break or gap whose cause has not been determined. It can be more vividly defined as an opening or gap in the wall. Digital walls protect valuable data systems and when they are breached the repercussions are extremely costly to both individuals and companies.

When a tree falls in Mau forest it certainly makes a sound. If a section of a perimeter wall collapses it makes a sound. If there is no on around to hear the tree crashing down or the wall falling apart then the event is not immediately registered or discovered.

What if a computer network is vulnerable or breached and no one knows about, is it insecure? A collapsed section of a wall makes it insecure to those who know about the vulnerability. This also applies to a computer network with a security hole. If no one knows about it, that is the vulnerability has not been discovered, then the computer network or digital wall is secure.

However if someone knows about it, then the IT system is insecure to the discoverer but secure to everyone else. If part of that perimeter wall round your residence is vulnerable and you have no knowledge about it, then that wall is secure to you. But to a robber who knows its vulnerability, it is insecure.

What if you knew that your network was vulnerable? What if you knew if part of that wall round your home was vulnerable? Would you publicize this fact?

The vulnerability exists, whether or not anyone knows about it. Keeping computer breaches and vulnerabilities secret does not guarantee your security.

An attacker can’t exploit a vulnerability he does not know about. A defender, also, cannot protect a vulnerability he does not know about.

In Information Technology, security that is based on publishing breaches and vulnerabilities is more robust. Those companies that suffer hacking attacks and keep them secret undermine the natural flow of information. Instead of fighting this flow, companies should embrace full disclosure which ensures they end up with more security than less.

The internet is still an insecure cyber-world, but it would have been much worse if its software vulnerabilities had been kept secret. Disclosure about its vulnerabilities has resulted in many of them being fixed.

Companies should stop sweeping their vulnerabilities and problems under the rug. They should instead embrace the full disclosure security movement. This will not only enhance their system security but also prevent those holes in their walls being announced in blogs and newspapers.

DO YOU HAVE THE ESSENTIAL INFORMATION SECURITY CERTIFICATIONS?

Information security is only growing in importance. Whatever an organization’s mission, product, or service, its information security is paramount.

Many readers of this column have asked me about IT security courses and certifications. Which one is the most suitable and whether these courses are available locally. I want to oblige today and list three essential IT security certifications.

These security certifications can significantly bolster your curriculum vitae and assist in job retention. Generally, choosing which certification you do is dependent on the career road map you have outlined for yourself.

So once you have decided that your career road map is IT security, it is important to appreciate that the best certification for you depends on your education, skills, and goals. For this reason, when pursuing any professional accreditation you should give much care and thought to your experience, skills, goals, education and desired career path.

One of the pre-eminent IT security accreditations is the Certified Information Systems Security Professional (CISSP). This certification is administered by the International Information Systems Security Certification Consortium, commonly known as (ISC)². (ISC)² is a global vendor neutral not-for-profit organization that provides various information security certification programs.

CISSP is a globally respected certification that is designed for security industry professionals with at least five years of full-time experience. It is internationally recognized for validating a candidate’s expertise with operations, network and physical security, as well as the ability to manage risk and understand legal compliance responsibilities and other security related elements.

The exam is particularly daunting. It consists of 250 questions with four options each and is six hours long. You can obtain more information from www.isc2.org.

Another accreditation worth pursuing is Security+ offered by the Computing Technology Industry Association (CompTIA). This certification is vendor neutral and recommends at least two years of on-the-job technical networking experience. It validates knowledge on organizational security, cryptography, assessments and audits, access control security systems, access control and network infrastructure. You can find out more about Security+ from www.comptia.org.

There are, of course, other security certifications out there. The Certified Information Security Manager (CISM) certification is for security professionals who manage, design, oversee and/or assess an organization’s information security. CISM is offered by ISACA. The website is www.isaca.org.

Certification in itself is not the end. These certifications should instead be pursued with the aim of enhancing your IT security skills and providing an additional competitive advantage that sets you apart from the crowded IT field.

ARE YOU A RECKLESS SHOPPER

Despite the global recession, experts predict online retail shopping to grow. Online retail demand, in Kenya, will be boosted by the imminent arrival of several submarine cable systems this year.

Online shopping is un-disputably more cost effective and faster than the traditional commute from one duka to the other. Comparing prices and bargains is merely a click away.

The current global recession will prompt more Kenyans to consider shopping online in search of better bargains. Following closely behind are the scammers who, also due to the recession, will increase their presence in the internet.

Kenyans need to be more vigilant and aware of the pitfalls that exist in this electronic supermarket. We can never be too careful and this message needs to be constantly repeated.

I have outlined some golden rules one should adhere to if you are to shop online and come out unscathed.

Never go shopping without ensuring that your personal firewall is enabled and updated. Standard firewalls included with operating systems are insufficient. They do not adequately control outbound connections. By installing a reputable firewall you will be able to monitor and prevent sending out of your shopping data on the internet by malware.

Online shopping is synonymous with credit cards. This is the Achilles heel of e-commerce. To be able to protect yourself you should ensure that your cards are registered with online providers such as MasterCard SecureCode that verify your transactions via a private code.

It is also prudent to use only one card for online shopping. Never use multiple cards or mix normal purchases with your online credit card. Maintain the limit for this card to be as low as possible. Better still, use a top-up card for your online purchases.

Remember that your bank provides you more security guarantees with a credit card than a debit card. So avoid debit cards for online shopping otherwise you might be exposing yourself to exploiters.

Checking your card statements regularly for any irregular activity is a good habit. Scammers use small transactions over a long period of time so as to avoid detection. That 400 bob that cannot be explained in the statement is warning enough.

On the site you should always check for the little padlock at the bottom right hand corner of the Internet Explorer browser. This confirms that an encryption key has been activated for your data transmission.

Also make an effort of checking the site’s privacy policy. Check for details of how your personal information will be used and try to provide only the required minimum information.

Adhering to these few rules will help you keep the scammers at bay. Embrace online shopping but keep it safe.

Saturday, January 24, 2009

Can you use Encryption to Enhance your Privacy?

Continuing on from a previous article, which looked at privacy in today’s internet age, this piece continues by discussing how one can use encryption to protect privacy.

One aspect of privacy that I didn’t discuss is what information your employer holds with regard to your surfing activities. Employees are now provided with internet access and every click and typed address is tracked by your employer.

There are various monitoring tools available that account and report on employee internet usage. These tools are evolving and improving giving employers the ability to chart what a particular user does, how often and when they do it.

This monitoring is sometimes justifiable. Employees that abuse their access to the internet instead of doing the job they are employed to do are identified through these tools.

A perturbing observation still remains: organizations can create a profile of you that includes personal information such as purchases, transactions, medical status and others. This constitutes private data.

You cannot do much to control who accesses your internet or network usage information in an organization. However, as a home user, there are various security and privacy aspects you should be aware of.

The storage media you use, for example USB sticks and CDs, are easy to lose and steal. Laptops have become much sought after items by thieves.

The loss of computer hardware is incomparable to the data loss. It is therefore crucial to encrypt your files so that they are unreadable to all but the owner of the decryption key, you.

Encryption can be simply described as the conversion of ordinary language into code. This is where information (plaintext) is transformed using an algorithm (cipher) to make it unreadable to anyone except those possessing the key. The process of converting this encrypted data (sometimes called ciphertext) back into its original form is called decryption.

Encryption solutions are inexpensive and widely available whether it is for large organizations, small businesses or home users. It is a good practice to encrypt all valuable information on the portable storage devices we use. That way if your laptop or USB device is stolen, the thief will be unable to make any use of it whatsoever.

Another advantage of encryption is that it protects sensitive data against malicious code. When malicious code manages to bypass network security, encrypted data acts as an extra layer of defense. This way privacy can be ensured.

Encryption renders your personal data useless to thieves. Using the encryption solution is advisable to all corporate and individual computer users.

The Communications Act could have gone Further

Putts Law states that technology is dominated by two types of people – those who understand what they do not manage and those who manage what they do not understand. The Kenya Communications (Amendment) Act 2008 has made a spirited attempt in assisting us manage what we don’t fully understand.

From an electronic commerce, security and forensics point of view, The Act has commendably addressed various substantive issues.

A range of financial tokens that underlie e-commerce have been secured against fraudsters. Case in point is Formation and Validity of Contracts where a contract shall not be denied validity or enforceability solely on the ground that an electronic message was used for the purpose.

It is therefore possible to use digital signatures that provide reliable authentication of documents in computerized digital form. These signatures have been legally recognised. This means that where a law requires a signature of a person, this requirement can be met if an advanced electronic signature is used within the context of a relevant agreement.

The implications of this aspect on e-commerce are wide-ranging. You can electronically sign credit contracts with virtual banks and use virtual letters of credit to conduct business. Other aspects that will enhance e-commerce include Attribution/Retention of Electronic Records and Acknowledgement of Receipts.

On ICT security and forensics, The Act has fundamentally altered the electronic security landscape in Kenya. The notable inclusions include the entrenchment and substantiation of electronic records (or evidence).

Electronic records are now legally recognised and can be retained in their original form. This means that your internet history logs, for instance, can now be used as evidence. Attribution is also now legal in that an e-mail receiver can legally act on the contents of an e-mail after identifying its source.

It is now illegal to gain Unauthorised Access to a Computer System, Modifying Computer Material without Authority, Disclosing Passwords, Committing Electronic Fraud, Publishing Obscene Information and Planting Viruses/Trojans in systems.

There are however some significant omissions that should have been included in The Act. Firstly we must divorce ICT from media and publish a dedicated and detailed ICT Act. Some might argue that ICT and media are converging. My contention is that ICT, being a complicated technology with multi-faceted functions, should be recognised as an independent framework despite its use in the media and other sectors.

Electronic investigation has been given a cold shoulder by this Act. Codes of electronic investigation and evidence handling procedures should have been outlined in more detail.

Information is today’s commodity of choice. This digital property will invariably ignite conflict. It would therefore have been advisable to include an ICT intellectual property framework in this Act. Finally the Amendment Act could have meted stricter penalties for sponsors and perpetrators of child pornography, which is has become a menace in Kenya.

In sum, this Amendment Act is a commendable first step. What should be appreciated is that ICT is dynamic and more legislative and policy work needs to be constantly developed.

How to Catch a Cyber Criminal by Staging

The traditional village market has been replaced by the global digital market. The internet has transformed trading of goods, services and commodities fundamentally. Kenyans have swiftly embraced technology and once the national fiber and submarine cable infrastructure is in place, expect a boom in electronic commerce.

However the same problems of fraud that were witnessed in the village market have crept into the digital realm. Fraudulent schemes continue unabated even in the internet. Digital thugs are busy attempting to defraud online customers by misrepresentation and deception. These online criminals try to present goods and services that look, as much as possible, like those that legitimate e-commerce merchants offer.

Their access point is usually the website. The website today’s bank counter, the first access point. An e-commerce trader has to be more vigilant than the brick and mortar bank manager. This is because a cyber criminal can easily breach an e-commerce website, commit fraud and leave undetected.

It is therefore vital to counter these web attacks by understanding and using various profiling techniques. One of the most effective is Staging (or posing). This is a profiling technique that can be used to obtain a profile of a financial intruder.

Staging is the manner of website defacement or the way particular files or resources are left once penetrated by the intruder. The habit of leaving deliberate ‘calling cards’, is not common among cyber fraudsters. This is because their motive is to breach e-commerce websites and obtain the data. This can only be achieved by employing a sustained covert connection to the system.

They therefore go to great lengths to cover their tracks. The alteration of a crime scene to confuse or mislead is common and is a good example of staging. The forensic investigator looks for signs that not only indicate the presence of an online fraudster but also of cover-up signs.

Intruders attempt to hide or remove evidence of an intrusion by deleting logs, altering date-time stamps, and installing their own utilities to subvert the operating system. They also use strong encryption to cloak their activities by encrypting data before stealing it, encoding communications between compromised hosts and obfuscating executables.

It is therefore important to identify the absence of the obvious as well as the presence of the obvious online financial intruder tracks. The presence of encrypted packets within a network is evidence of an intrusion. The absence of router network logs is indicative of an intrusion.

Staging is, therefore, a useful profiling technique that can assist our budding local e-entrepreneurs.

Cover Up – Your Privacy is Important

It is often claimed that most of the luxuries in life are now affordable and only one remains - privacy. Maintaining individual and business privacy in this era of pervasive technology has become increasingly difficult.

Business privacy is a concept that needs to be addressed with urgency due to the potential for serious breaches in the public’s expectations of privacy. Any organization that is a data owner (or holder) should commit itself to protecting its customers’ privacy up front and not as a back burner concern.

Your privacy is under threat from various sources. One of the most potent is the search engine. An internet search engine is a tool that can scour the global web for the results you want at the snap of your fingers.

This powerful technology can be used for good and bad purposes, just as weapons can protect or harm us. The downside is that search engines threaten personal and business privacy.

Google, a popular search engine, can be easily used to unearth information about you and your business that you don’t want people to know.

Anyone who is in the market for illicit corporate, or individual data, can take advantage of search engines’ power to acquire data to which the authors or originators of the data never intended them to have access, but which have inadvertently been left exposed.

It is unfortunately quite easy to unearth data. Google, for instance, provides special tools which are known as ‘advanced operators’. They are query words that have special meaning when used with Google.

They allow a regular user to conduct an extensive ‘drill down’ search. For example, ‘link:’ is one such advanced operator that yields all web pages that have links to a web site. For example [link:www.eastandard.net]. These operators can be found on www.google.com/help/operators.html.

As tools for obtaining private data, these advanced operators are effective. Hackers exploit the fact that companies, when designing their websites believe they have locked their front door but in fact have left a window open. These websites therefore publicize information they would want to keep secret.


There are various mechanisms and controls that should be used to safeguard privacy. Encryption, for example, should be used to protect client data on storage media. Company data should only be availed to personnel on a ‘need to know’ basis. Regular internal audits should also be conducted to ensure there aren’t any breaches of the laid out privacy policies.

Organizations must also desist from delegating responsibility for privacy issues to junior members of staff. Privacy should be championed by the Board and a senior decision maker, with the power to make important changes, should provide coordination.

In sum, organizations must embrace a higher commitment for ensuring data privacy. Any issues that are associated with privacy breaches must be addressed by those planning, designing and implementing new IT systems.

Preventing the Crime will help avoid Laborious Forensic Investigations

The process of obtaining and processing computer evidence and taking suspects to court is usually a long and expensive task. This process involves four primary stages. These being the acquisition, identification, evaluation and presentation.

The acquisition stage is mainly concerned with forensic capture of the device and its resident data. This is where the digital device that was involved in a cyber crime is secured. A record is made of the location where it was found and seized. For example an external hard disk that was hidden under a pile of newspapers provides a clue about the intent of the suspected offender.

During this stage of acquisition, data must be copied from the original hard disk using a write-blocking device. This device sits between the offender’s disk and the investigating computer. It stops all write signals being passed from the computer to the disk, hence preserving the data contained in the disk.

The second stage is identification. Here we recognize that digital evidence from an offender’s device can be interpreted from a number of perspectives. You can, for instance, examine the physical sectors of a disk and the logical partitions and files system. This can give you an idea on the technical expertise of the offender.

At this stage we also consider the context within which any digital evidence is found. This is especially crucial in financial forensic investigations where context will help the forensic investigator relate and untangle complex financial transactions.

Useful sources of evidence include records of internet activity, local file accesses, cookies, e-mail records among many other sources. Evidence should be handled with utmost care and a chain of evidence must be made. The investigator must also make notes at the time he takes any action regarding an offender’s device. These notes are more likely to be accepted by a court rather than a witness who is relying on his memory of a past event.

The third stage is evaluation where a decision on the digital evidence found is made. To achieve this, the investigator must have understood how the data was produced, by whom and when.

The fourth, and final stage, is where the interpretation of the raw data and the reconstruction of events that occurred on the offender’s disk prior to its seizure are undertaken.
You can avoid this process by implementing information security measures. For example you can place monitoring equipment on the perimeter of your network. This will allow you check for new access points and devices.

My point is that individuals and companies must aim to avoid a lengthy computer forensic investigation by investing on security controls, educating staff and developing policies that bolster information security in the organization.

Is the Photocopier a forgotten Weak Security Link?

The photocopier is an often ignored periphery in a corporate network. It has evolved from the single function device that used to sit in some obscure dusty corner to the multifunctional, networked document processing hub found at the heart of the business.

Modern photocopiers are termed as multifunctional devices that use digital print engines and combine several functions like copying, scanning, printing and faxing. Due to their multiple functions, copiers have become common devices in the corporate Local Area Network.

Digital copiers have the same power as PCs and can also be used to email documents, store confidential data and reproduce sensitive information. These copiers also have hard disks that store images of copied documents. Think about this the next time you copy personal documents using a company or commercial copier.

Another security risk is their ability to scan and email. What would be the impact of strategic company plans been scanned and emailed to competitors or sensitive documents been copied and their images accessed through the network?

Organizations should identify the risks associated with a networked digital copier. A starting point would be for System Administrators to ask themselves if access to the copier is controlled by authentication. Are the print files and stored images encrypted? Can the administrator remotely enable or disable the copier’s ports to control its usage?

Can the digital images on the hard disk be overwritten? Does the copier track usage, providing an audit trail of each user from monitoring purposes? If the answer to any of these questions is no, then it is time to re-evaluate your company’s multifunctional device security.

As with most aspects of information security, organizations should adopt a combination of staff education, policies and technology so as to secure their networked copiers.

Staff should be made aware of potential risks and the role they play in maintaining information security. Policies must dictate the use of all multifunctional devices. They must also outlaw inappropriate practices such as the unauthorized access of a copier’s hard disk.

Simple technological security checks should be introduced. For example, authentication should require staff to input their log-in details and password just as they would to access their PC. Traffic from the desktop to the copier should also be encrypted.

Ultimately, however, we can no longer ignore the crucial role photocopiers play in today’s business environment. This should encourage organizations to treat them with the same priority as any other aspect of ICT security.

M-Pesa - Legislative Safeguards Should be in Tandem with Electronic Ones

The recent announcement that the Government will introduce a Microfinance Act and regulate money transfer services is commendable. It has been acknowledged in many quarters that technology has outpaced legislation and regulation in Kenya and something needs to be done about it.

The government should however ensure that wireless money transfer providers are obligated to implement basic electronic security technologies in their networks.

There are various wireless technologies in existence today. They include Wireless Data Networks (WDNs), GSM (Global System for Mobile Communications), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), UMTS (Universal Mobile Telecommunication System) among many others.

Wireless networking technology (including GSM) has become a very popular system for mobile communication in the world. This popularity and convenience is driven by two primary factors: convenience and cost. Mobile products have consequently been embraced at an astonishing pace.

The ability to communicate, send short messages and transfer money using your mobile, independent of a ‘physical’ infrastructure, has provided us with a convenience that we never enjoyed before.

PINs which are required to access your M-Pesa account reside in the service provider’s database. This database of passwords is, needless to say, very important and should be secure.

Apart from password data, these databases also contain customer details, call records, subscriber location and transaction histories.

Will the proposed legislation obligate service providers to ensure these databases are protected using cutting edge security technologies?

Apart from electronic safeguards the proposed regulatory framework should exhaustively deal with mobile electronic evidence. The electronic transfer of money is prone to fraud and money laundering. Obtaining, preserving and presenting technical telephony evidence in a court of law is difficult and should be buttressed by adequate legislation.

We should also not develop a framework for mobile money transfer in isolation. This framework should exist under the umbrella of the wider ICT Bill.

The concept of M-Security cannot be ignored by the proposed Microfinance Act and Regulations. M-security concerns itself with the policy, technical, managerial and legislative safeguards applied to mobile systems and data to protect organizational and personal information.

M-security should therefore be part and parcel of any legislative and regulatory framework of money transfer services in Kenya.

Are you Controlling Access to your Network?

Networks are the nervous systems of our information technology body. Networks are integrated computers and peripheries that are linked through communication facilities.

They are basically two or more computers that share resources and data, linked by cabling, telephony or wireless equipment.

You have most likely heard of the Eastern Africa Submarine Cable System (EASSy) which will connect us to the global network. You will also have noted the numerous trenches been dug in major urban centers. This is the national fiber network been laid out.

Networks primarily transmit data electronically. This data is in the form of voice, video and images.

Networks have become indispensable parts of our lives and the Internet is a good example of our dependency on networks. The Internet is a network of networks that links millions of computers globally.

Companies have networks called intranets. This corporate network is tailored to meet the specific requirements of an organization.

Controlling who accesses the company intranet is a crucial security concern. This control involves a number of aspects. It is firstly concerned with what network resources (data or periphery devices) an authenticated user can access based on his/her rank.

Network access also involves all security policies assigned to a user and the behavior of the user once he/she has accessed the network. Today network security is about controlling individual user access to services and data, and auditing their behavior to ensure compliance with policies and regulations.

Network access control is also largely based on what layers of security are applied to a network. Businesses must inspect the valuable and sensitive information carried by the network to ensure its confidentiality and integrity.

Security policies are a component of network access that involves defining a manageable yet effective set of compliance-checking, enforcement and remediation policies. Companies should determine what types of checks will be performed, how often, what types of warnings will be displayed to users and how policies vary by user. The secret is to keep these security policies simple.

Another component of network access is giving the users the option to access a limited set of resources (such as the Internet or email) so that they can work without interruption.

Finally companies should be prepared to handle exceptional user scenarios which could occur at any time. For example if a natural disaster or another unusual problem prevented users from accessing the network. Provisions for access to critical resources from remote computers must have been outlined and appropriate access privileges assigned.

Is your E-Commerce Web Site Secure?

Electronic Commerce (e-commerce) websites have two basic objectives; making money and saving money online.

Some Kenyan companies primarily go online to increase their business turnover and profile.

Not all companies can be able to profitably sell products and services online, but all companies can save money by using the internet for business research and services.

The bottom line is that we are witnessing a surge in online transactions. This has proportionally spawned more attacks on e-commerce web sites. This is due to the fact that they conduct business and hold valuable information, for example credit card numbers or other private, personal data.

Most of these attacks exploit vulnerabilities found in e-commerce websites. Your business website is vulnerable to denial of service attacks, defacement, data theft and fraud where data is manipulated or actual theft occurs.

Other common technical attacks include SQL injection, information disclosure, path disclosure, price manipulation, buffer overflows and cross-site scripting. I shall outline SQL injection and price manipulation vulnerabilities for now.

SQL injection is where an attacker determines if a site is vulnerable by sending in the single-quote (‘) character. The message generated discloses the back-end technology being used and allows the attacker to access areas of the site.

SQL injection techniques differ depending on the database. For example an SQL injection on an Oracle database is done primarily using the UNION keyword. SQL vulnerabilities are common and do potentially allow unfettered execution of malicious database queries.

Another common vulnerability is price manipulation where an attacker uses a web application proxy to modify the amount that is payable when this information flows from the user’s browser to the web server. It is particularly unique to online shopping carts and payment gateways.

Building and maintaining an e-commerce site, is a dynamic process. Static websites that do not constantly change their security controls are extremely vulnerable to attack.
Network level protection is not enough. Secure websites need to use advanced configurations and filtering mechanisms. Packet and application filtering firewalls provide capabilities that go a long way in securing your website.

It is also advisable to cooperate with your ISP. Most methods of defense include blocking of unwanted network traffic blocking such as fragment blocking.

The rule of thumb is not to neglect your e-commerce site. Static websites that are never improved or maintained contain obsolete technology that is insecure. A dynamic website is harder to attack.

Online Profiling can Enhance Security

The traditional village market has been replaced by the global digital market. The internet has transformed trading of goods, services and commodities fundamentally. However the same problems of fraud that were witnessed in the village market have crept into the digital realm.

Online fraud can be defined as any activity that involves the obtaining of other people’s money or assets by misrepresentation or deception. These fraudulent schemes are been propagated by online criminals who try to present goods and services that look, as much as possible, like those that legitimate e-commerce merchants offer.

To be able to further understand the complexity and magnitude of online fraud one has to examine the risks that are to be found in the e-business context. The continued presence of these risks enhances the growth of online fraud.

To surmount these risks and attendant problems, online investigators can use profiling techniques to assist them in monitoring and identifying online fraudsters.

Profiling, in the context of forensic computing, is a useful tool of investigation. Profiling can be broadly defined as the prediction of an individual’s characteristics, crime scene assessment and the provision of investigative advice based on practical detective expertise; behavioural science theory, and statistical analysis of solved case information.

Profiling in sum typically includes identifying personality traits, behavioural tendencies and demographic tendencies.

Profiling can be used to distinct online fraudsters from other online offenders like stalkers and sexual predators. By the use of profiling it would be possible to predict and outline the online fraudster’s behavioural characteristics.

This would be possible because profiling is based on Locard's Principle of Exchange which stipulates that anyone who perpetuates a crime or enters a crime scene both takes something from the scene with them and leaves something of them behind.

These clues can be used to develop a profile of an offender in both the physical and digital contexts.

Various profiling approaches can be used and they include determining the signature pattern, determining the modus operandi (method of operation), diagnostic evaluation, investigative psychology, digital crime scene analysis, and geographic profiling.

For example this technique can be used to identify the serial online sexual predators that prey on our youth especially at the Coast.

Computer Viruses and their Deadly Functions

Most computer users have come across the term “computer virus”. It conjures up a negative image that represents something horrific. The idea that computer viruses are always destructive is deeply ingrained in most people’s thinking.

A computer virus is a computer program that has the ability to destroy data and gain control of a computer. Its similarity with the biological virus is its ability to make a fully functional copy of itself (reproduce).

When a computer virus is executed it makes one or more copies of itself. These copies may later be executed, to create still more copies.

It is crucial to understand that not all computer programs that are destructive are classified as viruses because they do not all reproduce. Similarly not all computer viruses are destructive because reproduction, in itself, is not destructive.

What qualifies a program to be termed a virus is its destructive purpose, ability to gain control of a computer and its reproductive capability.

The very term “virus” is an emotionally charged epithet. The scientifically correct term for a computer virus is “self-reproducing automation (SRA)”.

A computer virus is written by someone with a purpose in mind. In this sense, a computer virus has the same two basic goals of a living organism: to survive and to reproduce.

Computer viruses have to be executed if they are to attain their functionality. To achieve this, the virus must attach itself to a COM, EXE or SYS file. If it attaches to any other file, it may corrupt some data, but it won’t normally get executed, and it won’t reproduce. A virus designed to attack COM files cannot attack EXE file.

We live in an interconnected world and computer viruses have the potential of spreading at phenomenal speed. Famous virus attacks have occurred in the past. The most memorable ones include the Melissa virus, I Love You virus and SQL slammer worm.

You can protect yourself from computer viruses by using an internet firewall. Windows XP with SP2 and Vista have an already built-in firewall and it is turned on by default.

You should also subscribe to industry standard antivirus software. This software should be constantly updated.

Finally never open an e-mail attachment from someone you don’t know. You should also avoid opening attachments from friends, unless you know exactly what the attachment is. The sender may be unaware that it contains a virus.