Tuesday, April 10, 2012


From Daily Nation
By PETER NG’ETICH pngetich@ke.nationmedia.com
Posted Monday, April 9 2012 at 22:30

Cyber crimes cost the economy about Sh3 billion annually, say forensic experts.

Experts argue the crime committed through new technologies poses the biggest challenge to organisations and the police.

Speaking during a forensic conference in Nairobi at the weekend, O’Sullivan Associates country chief executive Sosthenes Bichanga said the banking sector alone loses about Sh2.1 billion yearly in cyber crime.

“Embezzlement of funds in the public and private sector has moved to ICT level and qualified accountants are better-suited to handle forensic investigations,” Mr Bichanga said. He called for the establishment of anti-fraud committees in organisations to tackle cyber crime.

US-based anti-fraud expert Sir Charles Hester urged organisations to employ Forensic Certified Public Accountants (FCPA) to forestall technology-driven crime.

“It will be pointless for organisations to work hard to market their products while cash is siphoned through loopholes which can be sealed by FCPA experts,” Mr Hester said.

O’Sullivan Associates investigations and training director Ian Ross told participants that organisations needed well-planned responses to fraud to serve as a deterrent.

Mr Ross called for anti-fraud training for staff, including senior managers and board members as a strategy to curb financial malpractices.

Talking to the Nation, Kenya Bankers Association chief executive officer Habil Olaka said their members had not done a survey to determine exactly how much banks lose through cyber crime.

“Though we cannot confirm or deny, some organisations exaggerate such figures to market themselves,” Mr Olaka said.

Kenya is ranked top among countries with the highest rate of economic crimes, according to a report released last December. The PriceWaterhouseCoopers report shows the vice is fastest growing, at nine per cent, compared to other countries. The survey was conducted in 78 countries.

From: http://www.nation.co.ke/News/Kenya+loses+Sh3bn+in+cyber+crime+every+year/-/1056/1383234/-/7wboymz/-/index.html

Thursday, April 05, 2012


E-mail is an acronym for electronic mail and is a digital text message sent from one device to another. These devices can be computers, smartphones or tablets. E-mail was one of the initial uses of the Internet and today comprises a large percentage of the total traffic over the Internet.

Over the years e-mails have become so common that we rarely give them a second thought. We have gotten so used to e-mailing that we send them through an insecure internet without a pause.

Kenyans are slowly appreciating the importance of e-mail security due to various high profile cases involving e-mail hacking.

Are E-Mails Secure?

Many people have the misconception that e-mails are secure messages, they are not. We attach confidential files to our e-mails, hoping that no one opens them. Sending these unprotected e-mails is usually convenient in the short-term. However this insecurity can be very costly in the long-term.

The passing of the USA PATRIOT Act in 2001 clearly illustrated how insecure e-mails are. This Act states that any data (including e-mail) which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by American authorities.

This means that an American law enforcement agency can use this Act on an American company like Microsoft (Hotmail), Google (Gmail) or Yahoo to request and obtain user data to them. Your e-mails in Yahoo, for example, can be intercepted and inspected by the American authorities anytime.

This concern is global. The Dutch government in 2011 barred U.S. companies from providing data processing and cloud-based services so as to prevent sensitive citizen data from being compromised by U.S. authorities.

Internal corporate e-mail does not fall in this category. However most companies use MS Outlook, a product of Microsoft.

Why E-Mails would be targeted by Hackers

Next to SMS messages, e-mails are very popular mediums of communication. They are therefore a veritable source of personal information for example e-mail account user names/passwords, bank PIN codes, credit card account numbers and other private information.

E-mails are also a rich source of corporate secrets. In this heightened competitive business environment, corporate espionage targets e-mails as sources of strategic plans, upcoming projects, transactions details and other valuable business data.

How are E-mails Hacked?

There are various techniques that can be applied to hack into an e-mail account. Some are highly complex. I will however outline one of the most effective, and simplest, methods of how an e-mail account can be hacked into. Generally when hacking the rule of thumb is to make the attack as simple as possible because simplicity ensures faster access to the target device or account

One of the most popular techniques is attacking an e-mail account through keyloggers. A keylogger poses a serious threat to any computer (tablet or smartphone) user because keylogger’s can be used to intercept passwords and other confidential information entered via the keyboard.

Keyloggers are software programs that are designed to secretly monitor and log all the keystrokes a user makes on a computer’s password. Keyloggers did not start off as illegal hacking tools. System administrators in companies sometimes used them to track what employees did throughout the day. They were also used by law enforcement agencies to analyses and track criminal activities.

Software keyloggers are introduced into the target computer through e-mails. A user receives an e-mail from either a known or unknown source. This e-mail will have an attachment which the user is requested to open or download. Once the attachment is double clicked the keylogger installs itself. A keylogger can also be installed via a web page or when a file is downloaded from peer to peer networks like Bittorrent.

Once installed the keylogger will record all the keystrokes that the user makes and this will definitely include email passwords. It will then send this information to the hacker’s remote computer at pre-set times. With the username and password of an e-mail account it is easy the hacker has effectively hacked into the email account.

Whether it is a corporate email or a free e-mail service like Gmail, keyloggers are very effective in obtaining log-in information.

How can you safeguard your E-Mails?

Protecting against keyloggers requires the installation of an antivirus program and keeping it up to date. By installing an effective anti-virus you will safeguard your log-in credentials.

However e-mails can also be intercepted in transit. To protect emails in transit the average computer user can install S/MIME (Secure/Multipurpose Internet Mail Extensions) in the computer. This is a protocol that secures your emails by using digital signatures and encryption.

By digitally signing an e-mail it is possible to prove who the sender of that e-mail was. However this does not stop anyone from reading it as it transits through the internet. Encryption then comes in handy by making sure that the e-mail is unreadable during transit. The signing works in tandem with the encryption and this makes it extremely difficult to intercept and read the e-mail.

For free to use web-based emails PGP (Pretty Good Privacy) is another appropriate solution for the ordinary computer user. It is a signing and encrypting software that works well with popular browsers like Chrome and Firefox and is widely used for encrypting and securing e-mails. The fundamental difference is that it embeds with your browser.

Another solution that would defeat keyloggers would be to implement centralized encryption protocols that shift the encryption functionalities from the individual desktop to a dedicated e-mail gateway. An e-mail gateway is a server that connects two or more electronic mail systems and transfers messages between them. Encryption technology is integrated into these servers with other security components such as virus scanners and firewalls. This solution is however highly complex and expensive and would be best suited to a corporate organization.

Sunday, March 25, 2012


Below is a comment from Mr. Kimanga on a post titled "Kenyan Forensic Science Association" dated Friday, May 16, 2008.

This post generated numerous comments and I thank you all who commented.

Mr. Kimanga I do concur, as far as Forensic capacity is concerned the big brother is still snoozing away. If Uganda can develop this referral capacity in the region we shall all benefit. We support you.

Mr. Kimanga's Comment is as below.

Kenya boasts of being the "big brother" of the East Africa Community but this is not important at all. When the big brother is still sleeping in a comfort zone, the little one is out and about making it big. Check out this............(see below article)

Kenya needs to wake up to the plain reality, just a word.

Courtesy of Sunday Nation 25/03/02


By AL-MAHDI SSENKABIRWA Sunday Nation Correspondent in Kampala (assenkabirwa@ug.nationmedia.com)
Posted Saturday, March 24 2012 at 19:27

Uganda has begun lobbying forensic experts from East African member states to support its bid to host the bloc’s referral forensic centre.

Addressing regional forensic experts in Kampala on March 21, Uganda’s Criminal Investigations Director, Ms Grace Akullo, said the police force has a modern forensic laboratory that can handle all criminal investigation challenges in the region.

“I am strongly convinced that our forensic department is better than others in the region and we are better placed to host the referral forensic centre,” she said.

“The political will is there to improve it further so that it matches international standards.”

As part of effort to strengthen forensic research, Ms Akullo said the police plans to acquire a fingerprint machine and integrate ICT in investigating cyber crimes.

Plans are also underway to elevate the department to a directorate to attract more funding.

The forensic experts, led by the officer in charge of peace and security at the EAC Secretariat, Mr Didacus B Kaguta, are in Uganda to assess the country’s readiness to host the Regional Referral Forensic Centre.

The team includes one forensic expert from each EAC member state and two from Britain and Germany.

Uganda and Rwanda are seen as the frontrunners to host the regional facility given the existence of modern forensic centres in both countries.

The RRFC is a brainchild of the Council of East African Police Chiefs which, among other duties, addresses challenges in investigations, and strengthens forensic services and criminal justice departments.

It also aims to ensure that EAC member states have harmonised forensic centres.

The team has since visited the police forensic department in Naguru, a Kampala suburb, and will compile a report to be presented at the next Sectoral Council on Inter-State Security meeting for a final decision.

Currently, regional governments spend huge amounts of money on forensic tests that are carried out abroad, mostly in South Africa and the UK.

Furthermore, several criminal cases have been thrown out of court due to poor gathering of forensic evidence. Trained forensic personnel are also few and far between.

For example, Uganda has only 70 scene-of-crime officers (Socos) who investigate the at least 99,676 criminal cases reported at police stations annually.

Mr Kaguta said when the regional forensic centre is established, it will train forensic practitioners as well as disseminate information to all national forensic labs.

Sunday, March 11, 2012


Many Kenyan organizations are collecting and storing significant amounts of consumers’ personal data. Sectors such as banking, retail (supermarkets), hotels, utilities, hospitals and many others keep depositories of your personal data. Consumer data is extremely valuable to these organizations. Researchers, law enforcement agencies, credit reference bureaus, marketers and business competitors also value consumer data.

The digital footprint you leave in various companies can be stolen and used for financial gain. As a consumer you would want to know when your data is being collected, what is stored and by whom, and how your data is being used.

What you might not have known is that the global consumer data market is huge. In the United States alone, organizations spend more than $2 billion per year purchasing consumer data from data sellers.

Buyers of consumer data are mainly marketers who use this data to better understand and predict consumer needs. Their main objectives are to improve their marketing effectiveness and to increase consumer loyalty to certain brands.

Kenyan consumers are unfortunately not aware that their data is a valuable inventory. Consumer data protection and regulation on the other hand is non-existent. Consumer advocacy groups are lobbying but with minimal progress. It is therefore left to you, the consumer, to protect your data.

There are five fundamentals you should ask any data collector you interact with. The first is Economy. You should request the data collector to justify the value they gain if they share your data. The second fundamental is Portability. You should demand that the company provides you with a copy of your data held by the organization.

The third is Transparency. You should demand that the data collector tells you what consumer data they have about you and what they will do with it. The fourth fundamental is Security. It is your responsibility to ascertain whether your data is protected by technology and adequate governance policies. The fifth and final fundamental is Privacy which requires the data collector to respect your personal data and justify why you should trust them.

These fundamentals transfer data security from IT professionals to you. It is no longer enough just to check the “agree” button so that you can get on with your bank account opening or property purchase.

As electronic commerce and internet connectivity gains ground in Kenya, the market for data will become more lucrative. This will definitely be the new cybercrime frontier.


Crime is dynamic. The hooligans of yesteryears used techniques that would be anathema to the hooligan of today. This dynamism is also reflected in the crime detection and investigation methods that are used by the police. This means that police forces are recognizing that use of modern techniques in combating crime is important and technology is at the top of the list.

Analyzing data to enhance security goes a long way in preventing crime. Police forces all over the world are appreciating that analysis of stored data, together with real-time data gathered from the field, can greatly reduce incidences of crime. The Kenya Police should not be an exception.

Data analysis combines various techniques such as data mining, predictive analytics, business intelligence and trend analysis.

One area in which data analytics can be used is in pinpointing crime. By using Geographic Information Systems (GIS) in combination with software that can analyze criminal behavioral patterns, it is possible to determine when and where crime is most likely to take place.

The police are subsequently able to make informed decisions on where to deploy resources such as plainclothes police personnel. This type of smart deployment means that more efficient usage of limited resources is possible.

Another area data analytics can be effectively used is in accident prevention. Web-based CCTV data can help determine accident black spots. For instance when an accident occurs this data is stored in a server. The analytic software will then be able to collate the current accident data with historical data.

If historical data indicates a trend of accidents in the same spot then these areas can be marked as certain black spots. Most black spots are rarely permanent. Identifying these constantly shifting black spots is possible with analytical software.

Improved control is another area the police can apply data analytics. Large gatherings of people in various events such as national days, football matches or musical concerts require smart crowd control management.

By using live CCTV imagery/data and comparing it with past event data, the police are better positioned to deploy appropriate resources to ensure the public is monitored and kept safe. An absence of this analysis results in an unprepared response to crowd unrest as witnessed in the recent football crowd tragedy in Port Said, Egypt.

The use of data-analytics by the Police brings about clear benefits such as preventive crime control and better allocation of resources.


Social media sites such as Facebook, Tweeter and Google+ have captivated many Kenyans. If you are not in updating your page or tweeting then you are not in touch with current trends. Social media gives you a ubiquitous presence. This means that your friends can converse with you at anytime and from any anywhere.

The flip side of this is that you cannot totally shut out people you don’t want to interact with. When you ‘unfriend’ someone in acrimonious circumstances, the likelihood of that former friend becoming a cyberstalker is high.

Cyberstalking is the use of electronic means to harass an individual or group of people. A cyberstalker harasses a victim through emails, phone calls, sms messages, Facebook posts and tweets. These messages are sent to the victim whether they are at home, school or work.

Cyberstalkers intrude into a victim’s life in frightening or intimidating ways making the victim feel there is no escape.

The effects of cyberstalking should never be under-rated. The psychological effect can be damaging and can result in psychological trauma regardless of whether the victim ever actually meets the stalker.

It has been observed that the fears that result from cyberstalking depend on the individuals affected. However in male victims the most paramount fear is damage to their reputations. Female victims on the other hand are more likely to fear physical harm from cyberstalkers.

Cyberstalking is not addressed as a specific crime in The Kenya Communications (Amendment) Act. Legislative change should therefore be initiated that allows police to compel Internet Service Providers (ISPs) to implement processes that deter harassers. This legislation should also force ISPs to surrender internet logs to authorities.

Apart from legislation we need to appreciate that the police and ISPs are primary centers of responsibility in any cyberstalking crime. Police are supposed to provide an active response to stop the harassment and conduct investigations in case the crime is reported. ISPs are supposed to implement security technologies that prevent such harassment.

Other stakeholders such as the CCK based Kenya Computer Incident Response Team (KE-CIRT) can contribute positively in cyberstalking investigations.

As more and more Kenyans embrace social media and develop online relationships, cyberstalking becomes another online menace we have to contend with.

Cyber stalking victims in Kenya should not be allowed to suffer in silence. By putting in place effective response and investigative structures, we can safeguard the online experience of many Kenyans.

Wednesday, February 01, 2012


Article written By JOHN OYWA in East African Standard (Underworld Magazine) of 1st February, 2012

They pass for harmless, ordinary souls. Some cut the figures of suave business executives while others are shadowy introverts with insatiable love for computers.

But behind the veil of innocence lies the faces of ruthless white collar criminals whose activities across the globe has cost governments and private companies billions of shillings in stolen data and fraudulent deals.

They neither carry firearms nor use force on their victims. Yet this new breed of shadowy criminals have emptied bank tills, accessed secret government data and robbed individuals of hundreds of thousands of shillings — all from the comfort of their homes and cyber cafes.

One of them, an Indonesian, struck Kenya last week, hacking and defacing more than 100 Government websites and posting a warning that he would be back soon, to inflict more damage.

This was just a year after another hacker attacked and disabled the official police website.

The Government played down the shocking attacks, saying they posed no threat to its databases even as experts warn that the incident could just be a tip of the iceberg as cyber terrorists and criminals turn their arsenals on third world countries.

Highly exposed

Criminologists and Information Technology security experts say that Kenya remains highly exposed to cyber warfare. They say the security of public data and security secrets were under threat more than ever before.

The fact that the Indonesian hacker, who was described as an amateur, chose Kenya, spoke volumes.

"The hacker may have found Kenya very vulnerable. It is evident he spent very little time to execute the assignment, an indication of just how much we are exposed as a country," says Mr Sylvanus Sewe, an IT forensic expert. Sewe says although no vital data was lost in the hacking, it greatly embarrassed the Government and dimmed its image in the ability to fight economic crimes. "It means many people may no longer trust Government sites because one cannot be sure if what he or she is reading has been manipulated by hackers," says Sewe.

He adds: "I am imagining what will happen if such criminals could get access to the Kenya National Examination Council database containing national examination results or the Independent Electoral and Boundaries Commission data on election results."

Last year a clique of employees and students of Kenyatta University hacked into the institution’s online database and altered examination results.

Some final-year students bribed university employees to change their poor grades to enable them graduate. They manipulated passwords of former employees of the university, some of who were dead, to access the examination database.

Falling victim

Due to the alterations, the university struck off names of many students from those scheduled to graduate last December, sparking a legal tussle after the affected went to court to challenge the decision.

A private university in Nairobi also suffered a similar incident after some Internet savvy students hacked into its financial database and changed fee balances. The University lost a lot of money because students with balances altered the records to show they had cleared their fees.

Investigation indicates that cybercrimes, which vary from receiving of spam mails, hacking, espionage, viruses and using specific software to get information from individual, organisation or government was on a sharp rise in the country.

With the online and mobile banking taking root in Kenya, cyber criminals have been smiling all the way to the bank.

Industry players estimate that mobile money platform handles up to Sh7 billion per day, a chunk of which ends in the pockets of criminals.

Another ICT security expert, Mr Muthoga Kioni, says cyber crime had become a huge threat because it was easy to execute.

"Many young people are getting into cybercrime because it has minimal risks with maximum returns. They sit in their houses or cyber cafes and make millions within a few hours. They hardly get arrested," says Kioni.

Kioni says a hacker needs only about six hours of research not only to break into the website, but to access the data base.

"There are thousands of hacking tutorials in the Internet that helps hackers to learn new tricks," he says.

The Internet thieves execute their acts by stealing vital information such as Pin Numbers and passwords to gain entry into the websites and even access bank accounts.

But Communications Permanent Secretary, Dr Bitange Ndemo, downplays the issue, saying it was not as bad as was being portrayed.

"The recent hacking of Government websites was unfortunate but little damage was done because the criminals did not access the data bases," he says.

Disastrous prospects

He explains that it was not easy for the hackers to gain access to Government databases containing vital information. "A website is just like a brochure advertising the services offered by the Government ministries. It has no data."

The PS says it would be disastrous if the criminals could gain access to sensitive databases such as that containing M-Pesa details and transactions.

"There is need to improve our cyber security and we are already doing this. It is also important for companies to put tough security framework to safeguard their internet data since most of cyber crime is committed through collusion with insiders," he says.

Internal crime

He says 60 per cent of cyber crime was internal and urged organisations to foster discipline and value system to counter the problem. "If we avoid the 60 per cent then we will be very safe," he adds.

Industry players point fingers at the Government’s ill preparedness in fighting cyber security.

"The truth is that we have big loopholes. In other countries, the police have high technical crime unit that deals with cyber crime and other organised economic crimes. In Kenya, we still concentrate on physical security than technical crimes," says Kioni.

The initial Cyber Crime Unit, which was established at the CID headquarters in early 2000, is no longer operational. Officers who had been attached to the unit either resigned and were hired by financial institutions or were redeployed to other departments.

But Ndemo says adequate measures have been put in place to fight the cyber crime in the country. He cites the establishment of the National Computer Emergency response Team (KE-CERT) and the e-government secretariat as some of the interventions.

Monday, January 30, 2012


Over 100 government websites were defaced by an Indonesian hacker in January 2012. This is a harbinger of things to come. As more organizations get online hackers will test their hacking skills and the government is a target like everyone else.

This incident informs us that government websites need to be hardened. The government should ensure that its websites are well protected from any intruder who might try to hack and steal data contained therein.

Apart from defacing websites, hackers usually move on to the next stage by attempting to penetrate the database(s) that sit behind websites.

Securing the data in these websites is a basic but another fundamental is that this data should be encrypted. Most of the government sites that were defaced have a user login feature that allows authorized users to log in and for instance check their mails. This kind of sensitive data is what should be encrypted.

Government web developers should also make sure they are using the right coding methods. Web developers can unknowingly leave their websites at risk in various ways. One way is by leaving ‘open doors’.

An open door could be an administrator password that has been left as a comment in the source code. By looking for these commented codes a hacker will be able to log in and access valuable data.

Where you host your site is crucial in determining the security of a website. Websites are hosted on servers. A ‘weak’ server is a vulnerability waiting to be hacked. Evidently the server in which the government domain is hosted in was not secure.

This episode should be a wake-up call. As more and more Kenyans embrace the internet, the subsequent development and adoption of e-commerce will ensue. It will soon be possible to pay for government services online. Instead of going to a supermarket we shall be able to shop online and have the shopping delivered to our homes.

The monetary motive for sophisticated hackers to target our systems will then exist. Opportunity is already present because most of our websites and systems are note secure. This will leave many Kenyans vulnerable to online scams and fraudsters.

It is imperative that Government takes up the gauntlet and develops a fully fledged High Tech Crime Unit in the Kenya Police. This unit should be the first responder and of more importance should aim at mitigating threats to our national ICT security.

Wednesday, January 25, 2012

Amnesty Period Expired on 15th December 2011.

Screenshot from buygenuine.co.ke

Microsoft Amnesty Period
Facts dont lie, counterfeit software is costly. Using Pirated software can lead to a judgment that could close down your business for a violation of the law. This will damage the reputation of your business and cost you money.

Corporates that possess, use or deal in authorized software are liable to criminal and civil sanctions under the Copyright Act of Kenya.

To avoid criminal penalties as per the copyright Act of Kenya, management and representatives of corporates must ensure that all software used by their company is compliant during an amnesty period that ends on the 15th of December 2011.
Issued by the Kenya Copyright Board.

Just a reminder...incase you can't afford the licences you can always try Ubuntu.

http://icea.co.ke/ was hacked on 25 January 2012

Tuesday, January 24, 2012


• In China the Education Department uses mobile jammers in schools during major exams. These jammers are use to prevent cheating. The objective is to prevent students from receiving calls or SMS messages from external sources outside the exam room.
• The main electronic components of a jammer are:
1)Voltage-Controlled Oscillator - this generates the radio signal that will interfere with the cell phone signal.
2)Tuning circuit - controls the frequency at which the jammer broadcasts its signal by sending a particular voltage to the oscillator.
3)Noise Generator - Produces random electronic output in a specified frequency range to jam the cell-phone network signal.

Safaricom and Kenya Prisons Services recently announced that they will install phone-jamming equipment in all the major prisons. This was termed as a response to the runaway crime involving mobile phones that is perpetuated by prisoners.
The strategy of jamming mobile phone signals in prison compounds is a logical technical response. By creating islands of non-connectivity in these jails, it is possible to mitigate the economic and social risk posed by these incarcerated criminals.

How does mobile jamming work?

Phone jamming is not a new phenomenon. In the past it was associated with spy craft and the military. Times have changed. Mobile phone jammers are now commercially available and widely used by ordinary citizens in countries that have legalized their usage.

Jamming a mobile phone basically entails the blocking of its frequency by using a device called a jammer. Your mobile (short for mobile phone) transmits a signal on a certain frequency so as to communicate with the service provider’s network. The jammer will broadcast a signal to your mobile using this very same frequency. Once these two signals collide they cancel each other out and what results is a ‘No Network’ indicator on your mobile.

The range of a jammer depends on its power output and whether it is designed to disrupt mobiles or towers. Pocket/portable jammers typically operate in a range of about 9 meters. Higher powered jammers operate in a range of up to 1.6 kilometers away from the device.

The choice of which jammer to use is dependent on the range you wish to deploy it to. To have uninterrupted meetings in an enclosed room, portable jammers are ideal. In a restaurant or church, a medium power jammer would suffice. For a prison compound, a very high powered jammer that can block multiple frequencies would be the ideal.

Mobile Jamming Concerns

It is broadly agreed that something needs to be done to curb the acquisition of mobile phones by criminals in our local prisons. However the jamming of mobiles has been tried by other countries with varied success.

Of initial concern would be the fate of prison staff and family who live and work in these compounds. To be able to effectively jam mobiles in our expansive prisons, high powered jammers will have to be used. This means that prison staff and other mobile users in the surrounding areas will also be inconvenienced.

Interference with critical public frequencies is another risk. Public safety responders like ambulances, police and fire fighters use dedicated frequencies. High powered jammers should be configured to ensure these frequencies are not interfered with.

It is also worth considering the legality of this implementation. The Kenya Information and Communications Act – Section 45 states that interference with any radio communication would result in a fine not exceeding one million shilling or a prison term not exceeding five years or both.

Other Alternatives

Combating the use of mobile phones by prisoners to propagate crime requires a multi-pronged approach. Jamming their mobiles, in itself, is not enough.

We should start by increasing the criminal penalty of smuggling mobiles into our prisons. The penalty for this kind of crime should be extremely punitive so as to discourage prison staff and visitors from abetting the smuggling of mobiles.

Other technical measures that should be explored include handset disablers, micro-cells and Faraday cages.

Unlike jammers, handset disablers do not emit jamming signals. They instead detect the presence of mobiles and prevent the making of any call. This detection and disabling is done by the software at the base station. What makes this alternative attractive is that it does not disable calls from ‘emergency users’. Pre-selected mobile users, who have pre-registered their phone numbers with the service provider, are allowed to receive and make emergency calls.

Micro cells are essentially scaled down base stations. It would be possible to build micro cells dedicated to the prisons. These cells would carry all traffic originating and terminating in the prison compound. In this implementation it is possible to segregate only prison calls and avoid jamming calls of legitimate users in the prison environs. The micro cell would be able to intercept communications specific to the prison and disable the mobiles through either SIM or IMEI blocking.

Another alternative is the Faraday cage which is a wire mesh enclosure that is grounded. It provides a shield to radio waves. A cage round the main prison compound would impede the transmission of mobile phone signals to or from any handset located in the cage.

Critical Lesson

One critical lesson that needs to be internalized from this effort is that there is a slow but sure shift from conventional to cyber crime by Kenyan criminal elements. The ingenuity and innovativeness exhibited in the execution of these mobile phone scams proves that it is only a matter of time before ICT security becomes a priority for law enforcement agencies.


E-mail users in Kenya are increasing daily. In many local organizations, MS Outlook is the dominant corporate email which is used by thousands of office workers. Sending an email to one recipient requires you insert the recipient’s email address and click on send. When you want to send the same email to many recipients you click on the cc: button and insert multiple email addresses.

Cc: stands for carbon copy. In the pre-computer/photocopier days, creating multiple copies of the same letter was achieved by using carbon papers. Before typing the letter, carbon papers were interspersed with plain white paper. Copies were created below the originally typed letter and thus the term carbon copy.

Leaking sensitive and secret information has never being easier in this digital age. Any organization that tries to safeguard corporate data from being unlawfully accessed by unauthorized people must contend with the cc: loophole.

Internal emails that have inadvertently gone awry are a good example of how secret information leaks out. We all dread that cc: goof. A successful salesman had a huge e-mail address book filled with his loyal customers, including prominent government contacts. With a single click, he accidentally sent a file of his favorite pornographic cartoons and jokes to everyone on his e-mail list. His subject: ‘Special deals for my best customers!’ Obviously he was looking for a different job thereafter.

Embarrassments can result after these mistakes. However when medical records or intelligence reports are inadvertently sent out the security breach causes untold damage.

Basic safeguards should be adhered to. The first rule of thumb should be to always check the To and CC fields before you click on send.

The second rule is the carpenter’s rule which states that you measure twice and cut once. This means you think twice before sending the email once. In other words, put that message aside and let your temper cool before sending that e-mail.

Another safety rule concerning carbon copy emails is the draft folder. Handle it with extreme caution. Sending an e-mail in progress by accident is very easy. When trying to change the status of that draft email or transferring it to the inbox, you can find yourself cringing after accidentally sending it.

Finally don’t make joke or comments via e-mail that you wouldn’t make in person. If you can’t say it aloud then don’t put it down. When in doubt click on the Cancel button instead of the Send.


The digital revolution has left an indelible mark in our personal lives. Taking family photos has never been easier. We simply click away on our digital cameras and transfer the images to a computer or a portable device. Viewing them can now be through the new USB compatible TVs.

Personal record keeping has also evolved. Photocopying and sealing those important academic and achievement certificates is outdated. It is now much easier to scan and store the digital image in your computer.

This historical data has to be secured due to its vital long-term importance. How do you effectively preserve these personal records?

Digital preservation is basically the keeping of data in such a way that its significant content can still be extracted and understood for an extended period of time. One thing to note is that all storage media (including your computer or external hard disk) becomes unreadable, or more difficult to read, eventually. These devices simply deteriorate.

There are two options available. You can constantly convert the data after a few years so that it is easily processed by the software systems of the future. The other option is to convert the original digital record into a stream of bytes. This would ensure that you can retrieve it into as many formats whilst retaining its original quality. This option is definitely more secure but technically challenging.

The third option would be uploading all your personal data to a cloud provider. This would free you from the anxiety of contemplating what would happen if you lost your computer or portable storage device. However this option comes with a risk. What would happen if the cloud provider went bust or lost your data?

All these options must be considered against the backdrop that ICT was different twenty years ago. Advances in technology will inevitably make technology fundamentally different twenty years from now.

The format of your digital documents and snaps will therefore change and conversion will be necessary. My option would be to use the second option in which you use a conversion utility that will convert your records into a stream of bytes.

Use this utility to attach metadata that contains information about its properties and store these records into your portable storage device. As a redundancy upload it to a cloud provider. This way your future generations will be able to access those digital family snaps and documents with the technology of their time.


The ICT security industry has seen more changes in the past four years than the last twenty years computers have been with us. These changes have mainly been a result of the advancement in portable devices, especially smartphones. These smartphones are basically microcomputers with processing power capabilities that were resident in PCs of a decade ago. Popular smartphones have Android, Symbian, Windows Mobile, Apple and Blackberry operating systems.

Many companies issue smartphones, and other portable devices, to employees for business. It is often taken for granted that company ICT security policies also apply to these devices. This is often not the case because many companies are yet to resolve the question of who is responsible for the loss of these devices (and the data contained therein).

Best practice states that the data controller is the person liable. This is explicitly stated in most Data Protection legislation, for example the Data Protection Act in the United Kingdom. This data controller is defined as the person (either alone or with other persons) who determines the purpose for which and the manner in which any data are to be processed.

That company issued smartphone is meant for company business and the data stored in it is there by company consent. This means that it is the company that determines the purpose and method in which the data is to be processed. It is therefore clear that senior managers are data controllers and the other persons are effectively the Board.

It can be argued that the employee would be responsible for the loss of a company issued smartphone if he/she did not implement the security policies of the organization. However the employee would only be directly responsible to the employer.

One effective way this can be done is by implementing encryption in company smartphones. Employees would then be obligated in ensuring that the encryption software is on and effectively protecting company data.

If, however, the lost smartphone contained unencrypted sensitive data that would have far-reaching consequence to the general public, then the manager and Board would land in court.

The absence of a Data Protection Act in Kenya means that apportioning liability for data loss due to portable devices getting lost is difficult. The draft Data Protection Bill, that is currently undergoing review and stakeholder consultation, should conform to the generally accepted liability principle of data protection.

Protecting data with appropriate organizational and technical measures is the responsibility of managers and the Board.


The festive season is with us. Most of us will transact in a shop, a supermarket, a school or even online. To do this we shall use our credit cards, ATMs, M-Pesa PIN numbers, certificates, badges and other identifiers. These identifiers will allow us to prove we are who we claim to be. This aspect of proving who we are is becoming increasingly tricky for businesses.

Most of us have different identifiers. You might have a credit card, two ATM cards, a debit card, an M-Pesa account, a national ID and a supermarket smart card. These are all pseudonymous which means your identifiers are different personas to different organizations.

It is assumed that the person in a credit card is the same person in the Smart Card. But the bank cannot prove that the John Mutiso who holds the credit card is the same John Mutiso who has the Uchumi Smart Card.

This is because customer data is not shared between the bank and Uchumi supermarket. This means you are the only person who can prove who you are. Businesses are therefore vulnerable due to this pseudonymity and they need to take steps to protect themselves.

Businesses therefore require identity management so as to guard against this high risk of pseudonymity. The purpose of this management would be to establish the eligibility of John Mutiso to conduct a transaction and to assign the limitation of liability in the event of a failure.

Biometrics is an identity management solution that is proposed in the absence of data sharing and data matching. Biometrics are however not 100 per cent accurate especially in real environments where reliability thresholds are marginally lower.

To effectively protect businesses a highly distributed citizen database is required. This database can be accessed by businesses to determine who John Mutiso is, whether he is in the system and whether he is unique. In other words is this person who he claims to be?

This distributed citizen database would not necessarily be wholly housed by government. Elements can exist in credit reference bureaus, NGOs, county offices and local government systems.

This pool of citizen data would create an environment where government, commerce and citizens not only trust identity services but businesses would be able to use this database to reduce identity pseudonymity.

The technological infrastructure is now in place. What we need is the political will to implement this solution.


Many people assume that securing ICT systems is an expensive undertaking. When it comes to security software, expensive does not equate to secure systems. Vendor security solutions can be very expensive and yet their Open Source (OS) software equivalents tend to be even more secure.

OS software has undergone various misconceptions. The first one is that OS costs as much as proprietary/vendor software. OS security applications are capable of providing adequate security without bursting your budget. Most are either free or dirt-cheap. Notable examples of free OS security software are SpamAssasin, Snort, Nmap, Nessus, FreeBSD and many others.

Another prevalent misconception is that OS security software is dodgy and dangerous because it is open and free. OS is more secure than proprietary software because more developers are assessing and critiquing the code.

OS software code being freely available means that many “white hackers” are constantly ensuring its integrity and security. OS security software is not invulnerable. However by using any of the OS software packages that are widely used, it is possible to use security software whose vulnerabilities have been minimized.

It is also widely believed that outsourcing of a company’s internal network security can only be done through proprietary/vendor software. This is yet another misconception. Paying for expensive vendor systems that purport to prevent your network from being compromised can be avoided.

Open source perimeter management systems are equally capable in monitoring logs/traffic from your internal network. For example Nessus is a reputable OS network vulnerability scanner that can be able to discover bugs throughout an entire organization.

OS security software has some fundamental advantages over vendor software. Probably the most potent advantage is the so called “many eyes” theory. Security vulnerabilities are typically found by examining source code and testing the software for failures. The fact that OS source code is freely available means that it is under constant improvement by developers all over the world.

This transparency means that many people are motivated to sift through the code of OS security projects for a variety of reasons. Bugs are therefore fixed swiftly and better products released to consumers. This therefore discourages those who might try to sneak malicious code into OS security software.

In my opinion, Open Source security applications tend to be more secure than their commercial equivalents. Having in place good basic security controls and practices based on an Open Source platform can better protect your ICT systems.


The power of social media is no longer a periphery international issue, it is now with us. The doctor’s strike (“Operation Linda Afya”) was organized through Tweeter and Facebook.

Media reports indicate that the doctors used this fast, prompt and reliable mode of communication in executing their industrial action that crippled healthcare delivery in all public hospitals in the country.

Tweeter and Facebook messaging is what made it possible for doctors to quickly converge and hold peaceful demonstrations all over the country. This phenomenon is possible due to the wide coverage of telecommunication networks throughout most of the country.

Social networks are all-pervasive, however they aren’t always safe. Most malicious attacks are now emanating from social network sites. If you tweet regularly and update constantly in Facebook there are a few safety tips you should know.

The first tip is don’t click on links you don’t know. Sharing links in Twitter and Facebook is common and an effective way of directing your friends to interesting sites. However avoid clicking on subsequent blind links where you cannot discern the destination website from the link, for example www.23433.co.ke is a blind link. This link can open you up to a malicious attack and place your sensitive phone/computer data at risk.

Secondly don’t share personal information. Some personal details should never be shared online and these include your current address, date of birth, next of kin, bank details, ID number and company staff number. You would be surprised how much information about you can be gleaned from these details.

Setting up strong passwords for your Tweeter/Facebook accounts is a must. You can imagine what would have happened if the Tweeter account, that was used to mobilize doctors during “Operation Linda Afya”, had a weak password. It would be possible to hijack it and sabotage the whole effort.

Beware fake friends. A common attack that is used by online criminals is where messages are distributed from accounts whose names are vaguely familiar or resemble the names of your long lost schoolmates. Clicking on a message from such a “fake friend” will lead you to an external site that installs malicious code in your mobile phone or computer.

Social media is here to stay and as internet penetration slowly permeates in Kenya its power can only grow. Users should however use these rudimentary safeguards so as to prevent online criminals targeting your interaction with friends or colleagues on social media sites such as Tweeter.


Supervisory Control and Data Acquisition (SCADA) systems are a suite of software used by the utility, gas, oil, water and manufacturing sectors to achieve efficient control over their complex operations. These systems control various components for example the opening and closing of valves in an oil pipeline. In the electrical utility sector they control power grids.

A major development in these systems is the introduction of a smart component in these systems. This entails the implementation of an end-to-end IP (internet protocol) network that connects critical components such as valves in a pipeline, smart meters in an electrical grid or pumping stations in a water pipeline. Smart meters are generally at a more advanced stage in the electrical grid systems of advanced western countries.

What makes the security of these smart grids important has to do with the deployment of these networked and IT and IP enabled critical components. These IP enabled components have to interface with old legacy components such as Programmable Logic Controllers (PLC). This presents a threat because most of the old components are not designed to support the complete IP communication stack.

Besides the system integration risk the implementation of IT and IP enabled components introduces the same security threats attendant with such technology. Cybercriminals can for example bring down communication links between these components and the control stations by using denial of service, routing, flooding and buffer overflow attacks.

Another factor to consider is the lack of skills to identify and manage risk in SCADA systems. Professionals in the industries that use SCADA (e.g. electrical) are not aware of the proper security controls necessary and suitable for their industries.

For example the electrical utility sector in most countries is only at an initial stage of developing the required skills to conduct risk assessment. This risk assessment would allow ICT security professional to design security architectures tailored to SCADA systems.

What then is the way forward? Industries that use SCADA, risk, ICT and ICT security operations must find a way of working together. The security management of IP endpoints and devices is the forte of ICT professionals. They are however ill-equipped to manage foreign endpoints like valves, smart meters, breakers, PLCs etc.

A complex network with hundreds of thousands of endpoints and network interconnections is extremely difficult. For a SCADA network to be truly, reliable, scalable, and secure, both ICT professionals and utility operators have to work together.


The volume of data that is shared between business entities is growing every year. Companies are constantly sharing information with each other. I.T. systems are linked to each other at various business contexts for example supplying, selling, regulation and management. A manufacturing firm, for example, is likely to have its procurement system linked to its suppliers and its sales component linked to distributors on a real time basis.

Whether it’s a document sent over email or sales figures transmitted through a file transfer protocol, the risk of a data breach during the transfer or sharing process is high.

Many business people are yet to appreciate the value of the data in their possession. USBs and CDs are lost at a very high rate. These same devices are couriered in unsecured envelopes. Loss of company data can have an irreversible impact on and company’s finances and reputation.

In most cases the loss of mobile devices such as USBs and CDs results in loss of valuable company data. These devices are by their nature easy to lose, especially USB drives. People usually overlook the real value that is contained in a USB drive itself and instead value the physical device more. USBs might be small but the data in them is vitally important.

Other means of data transfer that pose considerable risk are websites that allow users to upload large files. These files can then be accessed by other people with a link that was sent to them. Photo sharing websites use this concept.

Companies should not use these sites because it is nearly impossible to ascertain where you files are hosted and who has access to them.

Implementing more secure and reliable data transfer technologies is imperative. Relying on USBs, CDs and file hosting websites to transfer your business data is unsafe.

File transfer technology has advanced considerably in the recent past. It offers enhanced features like audit trails and are better alternatives to the old transfer methods.

An example is Managed File Transfer (MFT) which is a data transfer service provided by vendors. MFT keeps an audit trail of the transferred file(s) by keeping receipts. MFT also encrypts the files thereby securing them against man-in-the-middle attacks.

This technology is vital for sectors that have huge volumes of data transfer for example healthcare, pharmaceuticals, banking and government.

Data transfer is a grey area that needs immediate attention by all companies that exchange information with another business entity.


This article is a continuation of last week’s article in which we concluded that due diligence should be conducted before subscribing to cloud computing provider.

Cloud computing is basically the use of computing resources, like applications and servers, as a service (Software as a Service). This means that a cloud computing provider provides access to computing resources when needed and the client is charged for this usage.

Any business that subscribes to cloud computing has to consider a few security risks. Any cloud computing firm that you use should, at the minimum, have appropriate certifications like ISO27001. These certifications ensure that their internal controls are in place and maintained against insider attacks.

Any firm that outsources should also ensure that their data is backed up. Backing up should not be taken for granted and it is the responsibility of the client to ensure that the provider makes redundant copies and restoration can be successfully done.

Businesses that outsource should not put all their digital eggs in one basket. Outsourcing to one cloud provider effectively means that should anything untoward happen, applications and information will be at risk. This risk can be mitigated by disintegrating your dependencies. Using a redundant storage provider will enable crucial data to be stored by different vendors and in different locations.

Data commingling is another risk that businesses which outsource to the cloud should be aware of. Cloud providers run many applications and handle data for many client organizations. Data therefore commingles in the same databases and servers separated only by the software itself. This is a security risk in that a flaw in the code could be exploited to allow access to other data. It is therefore advisable to ensure that segregation is done and maintained by the cloud provider.

Data migration procedures are also very important. As a business that outsources to the cloud it is important to ensure that procedures are in place that allow and ease the migration of data. Data migration is the extraction of data so as to re-use it. The procedures for this should be clearly established and the cost should not be prohibitive.

Finally any business that outsources its applications and data should have clear Service Level Agreements (SLAs) with the cloud provider. Just like any other third party service provider. the SLA with the cloud provider should have clear parameters for performance, change management, liability, access and provisioning.


Cloud computing is finally with us. Recently a leading telecommunication service provider launched a cloud computing service for individuals and businesses. Cloud computing is basically the use of computing resources, like applications and servers, as a service (Software as a Service).

An example would be a small construction and road repair company somewhere in Kericho. At the end of every month the company runs its payroll and pays its casual and permanent employees. Before the advent of cloud computing this company would be forced to invest in a computer, a payroll system and stationery so as to automate its payroll process.

The cost of purchasing a dedicated payroll computer and its system would be prohibitive to a small enterprise. The concept of cloud computing means that instead of dedicating resources to a process that is run only once a month the company can subscribe to a cloud computing provider to do it. The company is then billed only for the time it uses the payroll system.

So instead of worrying about the costs of the payroll system, and security of the data, the cloud computing provider provides access to these computing when needed and charge for specific usage only.

Examples of global cloud computing providers include Hewlett Packard, Fujitsu, Red Hat, Amazon and many others.

Cloud computing, just like any other technology process, has some security risks. These risks will be discussed in this article and the next.

There are many security concerns in cloud computing. One of the most common queries concerns access to data. Who has access to your data?

An example is the United States of America. In October, 2001 the USA Patriot Act was signed into law as a response to the September 11 terrorist attack. This Act allows the American government to access data in any American owned data center, no matter what country that data center is in. If you outsource any of your ICT functions to a cloud infrastructure owned by an American company, then your data can be accessed by the American government.

Who can potentially access your data becomes a priority concern when choosing a cloud computing provider.

Keeping data private and secure is an ongoing concern for everyone in this interdependent and connected world. Due diligence should be conducted. The only truly safe approach in cloud computing is to subscribe to a cloud computing provider that is locally owned and locally located.


Exchanging of chain e-mails is a common practice in many organizations. These are basically unsolicited e-mails that we receive and pass on to our colleagues and friends. Topics vary and their content may include jokes, inspirational messages or current affairs. Others however contain pornographic images and videos.

System administrators manage the corporate network and they are able to see the kind of e-mails workers send to each other and what images/videos they download. No company can impose an outright ban on the content of these chain mails.

The risk associated with chain e-mails and especially pornographic e-mails cannot be ignored anymore. It is common knowledge that the most virulent computer viruses are embedded into pornographic material. This pornographic material is a perfect vehicle due to the high distribution rate of this kind of content. Virus infection is therefore guaranteed to be swift.

Another factor to consider is duty of care. Legislation will soon be enacted to ensure that organizations have a legal obligation to prove they have taken all reasonable practical measures to protect their staff from pornographic material. The onus will therefore fall on the company, and not the worker, to ensure that this material is not circulating in the corporate network.

Sifting through the high volume of e-mails generated by employees is a daunting task and this job is best left to an automated tool.

Before this can be done the organization must develop and sensitize all employees on an acceptable usage policy. This policy must outline the do’s and don’ts of corporate e-mail usage.

Trying to manually monitor and apprehend users who breach the usage policy is impossible. That is why an automated e-mail monitoring tool is appropriate. This approach is non-invasive and can drastically reduce the volume of pornographic images/videos that circulate in the workplace.

This tool will screen all e-mails in the corporate network and respond in a number of ways. It can simply block the e-mail or send a warning to the sender and recipient informing them that they are infringing the company usage policy.

This approach will not embarrass anyone because the affected e-mail users will know what was contained in the chain e-mail.

The organization is now able to demonstrate duty of care and has all the information it needs if the situation requires disciplinary action. This approach will also safeguard the company’s reputation and bring down the volume of unofficial activity on the corporate network.


Every piece of hardware and software that we use has privileged identities built in. These are basically secret keys which are added to the system by the manufacturer. These keys (or passwords) are found in all systems that organizations use. They are for example Administrator passwords in a Windows workstation, Root on Unix and DBAdmins in Oracle databases.

Manufacturers make products with these passwords so that they can effectively support these products. These same passwords are used by customers of these products for administration purposes.

These passwords are like master keys. They can open all modules and files of the system. This is why they are coming under increased scrutiny by various regulations. In U.S.A the Sarbanes-Oxley 404 law requires that companies prove that they have control over their financial systems. If an organization has key financial information whose administrative access is not secured or managed, then that organization is in violation.

Of more relevance to us are the Payment Card Industry (PCI) standards. These standards are one of the most explicit. PCI requires organizations to restrict access to the fewest number of custodians necessary. Companies are also required to store keys securely in the fewest possible locations and forms.

Another area that countries are requiring secure administrative passwords is in the health sector. The American Health Insurance Portability and Accountability Act (HIPPA) has a component on administrative standards that requires medical records be absolutely confidential and secure. It states that if an organization allows unsecured administrative access to medical records it will be in violation of this Act.

The global trend is that countries around the world are enacting tighter local regulations in the control of privileged passwords. Kenya, however, is yet to develop legislation and regulations that require organizations ensure control over secret keys/passwords of their systems.

Hackers look for these secret passwords because most of them are never changed. Most successful hack attacks are insider in nature and these secret passwords are used to obtain access to systems.

The primary motive of demanding organizations protect privileged passwords is to ensure that these secret keys are secure and their use (or misuse) can be tied to a specific member of staff.

Kenya therefore needs to develop a framework that encompasses all the critical sectors of the economy for example financial, health and utility systems. This framework should require entities in these sectors to conform to the fundamental requirement of securing secret keys or privileged identities.


Internet penetration in Kenya is currently at 3.9 million users and rising fast. This roughly translates to 10% of the total population. The widespread availability of broadband internet, Government support and relatively low cost of hardware means that more Kenyans are accessing the internet. Internet connectivity will eventually become common, at least in the urban areas.

However in the rush to setup networks at home or work, many Kenyans are leaving themselves open to attack. The biggest risk is coming from routers, a network device that handles message transfers between computers.

Attacks against the routers we use are different from the common hack. A common attack is where your computer is compromised after downloading something you shouldn’t have downloaded for example pornographic material.

In the router attack malicious code infects your computer through a download. Immediately you do this the malicious code seeks and attacks your router, not your computer. This code changes the router settings which govern the way your router connects you to the internet and to other computers.

So every time you go online, instead of your traffic going directly to your desired website it is diverted. Just like a diversion on the highway, your data traffic is sidetracked through a hacker’s computer.

This means that the hacker can see all your data traffic. For instance, when you type your e-mail username and password, the hacker can not only view but can also store this vital information. Your data is then re-routed back to its designated destination. This makes it very hard for you to detect the diversion.

The best way to protect your router is by simply changing the default password. When you buy a router it comes with a default password that locks access to the configuration settings. This factory password is however generic and is usually as simple as the word password.

This default password must be changed and if you are also using a wireless network you should also change the name of your network. Harden your router by also using WPA or WEP encryption which most routers support.

Malicious codes that attack routers are akin to burglars patrolling for houses that have weak door locks or open windows. By not changing the factory password of your router and not using encryption you are leaving a spare key under the door mat hoping no one will ever look there.


Corporate Boards are composed of accomplished professionals and their main purpose is to govern a commercial entity by establishing broad policies and objectives. The Board also accounts to stakeholders on the overall performance of a company.

Board members are undisputedly busy people who have to grapple with varied and difficult aspects of directing a company, especially so in the current harsh economic climate. It is however clear that most Boards under-appreciate the importance of ICT security to their companies.

The importance of implementing ICT security measures in a company is usually misunderstood. This is due to one primary reason. Most Boards struggle to see the value of ICT security because it does not provide a measurable Return on Investment (ROI). This is understandable because an average computer user would find it hard to quantify the ROI on that antivirus program that he/she purchased one year ago.

The question can thus be framed - what positive impact does ICT security have on a company’s bottom-line? We can even go further and ask ourselves whether it would be possible to calculate the ROI on the high perimeter wall and strong window grills we have built in our homes.

Corporate Boards should understand that ICT security is not an investment that provides a return. It is not like a new shamba or a new boda boda motorcycle who’s ROI can be measured.

ICT security is an expense that pays for itself in the cost savings. In other words ICT security is about the loss prevention, not about the earnings. This loss prevention also affects a company’s bottom-line.

For example a company with a weak access control system would most likely suffer from frequent hacking attacks. Their credit card database would be attacked and this stolen data used to commit fraud. The business would suffer because customers would no longer trust this company and would move to the competition.

If, however, this same company implements robust access control measures it can reduce the chances of being hacked to zero. This loss prevention would positively impact on the company’s revenue and reputation.

IT professionals therefore need to present a compelling narrative to corporate Boards that will result in behavioral change.

Corporate Boardrooms in Kenya should conceptualize ICT security as a loss prevention process and not a measurable ROI exercise. They need to ensure that management implements an ICT security framework and that all employees know about it and more crucially understand it.


Businesses and individuals need to protect their information now more than ever before. There are many reasons that justify this observation but the most important reason is the increasing reliance we have on information systems. Critical business transactions are now done through the internet. On a more personal level we are shifting to the digital platform for our banking, communication and education.

An information security plan has many components and one of the most important pillars is Information Classification. This is the categorization of data so as to facilitate the implementation of information confidentiality, integrity and availability.

There are six steps that must be undertaken so as to achieve information classification in your organization. The first one is identifying all the information sources that need to be protected. Determining which information is possessed, where it resides, who the owners and custodians are, the infrastructure used and if there are existing protection measures are the sources that should be documented.

The second step in classifying information is identifying the information classes that will be used for example Secret, Confidential, Restricted and Unclassified.

Once the information classes are outlined, the next step is to identify the information protection measures that will be used to map onto the information classes. These could be authentication, role based access, assurance, encryption and others. These are mainly technical IT controls.

The fourth step is mapping the information protection measures to the classes. For example authentication helps to verify that a system user is who he/she claims to be by requiring this user to be identified. Authentication can be mapped onto any information that is classified Secret. This would ensure that Secret information is accessed by users who are duly identified. Note that any information classified Secret can have multiple protection measures apart from authentication.

In the fifth step, the classification labels and protection measures that were mapped must now be applied to the sources we identified in the first step. For example authentication is a measure we mapped to information that is classified Secret. We now need to determine which information is Secret. Staff medical records, for example, is a source than can be classified as Secret and requires authentication to access.

The final step is a loop back. This is where the process should be repeated at planned intervals.

Information classification helps to ensure that security decisions are made that conform to business objectives instead of IT departmental information protection goals.


Information and communication technology has transformed our lives as had been prophesized. The computer, the mobile phone, the internet and databases have had a considerable impact on the Kenyan society.

Many business opportunities have been created by the introduction of technology for example M-Pesa. M-banking, electronic payment systems and E-learning are technological processes that will radically impact our society in the short-term.

In the midst of all these positives it is important to remember the dark side of technology. Cyber-crime has increasingly become a serious concern. Online criminals/fraudsters, disgruntled employees, saboteurs, spies and foreign hackers are wracking havoc on personal lives, businesses and governments.

One would then ask – how can we secure ourselves? Before answering this question it is important to answer another question – who or what are we protecting ourselves and our ICT systems against? In other words we must understand the fundamental risks we want to protect ourselves against before we secure ourselves.

There are four damaging risks that warrant protection against. The first one is data theft. Most company losses and lack of competitive advantage are due to employee data theft. A sales person is more likely to steal a customer database so as to take a new job or simply sell it for money to the competition.

The second risk is internet crime. The likelihood of a technology user falling victim to this kind of crime has never been greater. Internet scams, fraud and identity theft are all over the internet. Unarguably the most famous is the Nigerian 411 scam which has caused suffering to many people all over the world.

The third most damaging risk is industrial espionage. This crime targets the big multinationals and the small businesses. Losses incurred by Kenyan companies when their strategies, patents, finances and marketing plans are stolen run into millions of shillings.

The fourth risk we face is malware infection. Cyber criminals target computers without protection so as to infect them with malware. Home users are especially vulnerable to this kind of crime. Malware is malicious software that is designed to gain unauthorized access to a computer’s (or device like a mobile phone) system resources so as to commit data theft or invade someone’s privacy.

All these risks if not mitigated by way of ICT security can cause severe financial loss for businesses and individuals. These are the reasons as to why we have to secure our personal and business ICT systems.


Not many Kenyan business owners are convinced that ICT security is a severe threat to their firms. Business people are more likely to appreciate and react to the current inflationary fluctuations, the weakening shilling, high labour costs and increased energy costs. Little will however be heard about ICT and its security. This is despite that ICT is the modern day ‘nervous system’ that coordinates the business processes of most companies.

ICT systems support business processes and the dependency ranges from Enterprise Management Systems (ERP) for performing integrated business processes, emails for communication and document workflows.

All these systems have users who perform various tasks for the business. These employees must be able to access these systems at the appropriate level. The restrictions imposed on the employees are important. For example communication systems like Outlook e-mail should only be used for business.

An ERP system like SAP usually contains financially and personal data that is sensitive. Who accesses what is of utmost importance to the business. Restrictions will for instance ensure that a user who raises an invoice cannot also approve and pay this invoice. This example illustrates the business issue of ICT security.

Most businesses unfortunately treat the granting of permission and authorizations as the sole responsibility of the IT department. Business management only become involved when a user discovers they can’t perform a business function, for example re-ordering stock.

Treating ICT security as the sole responsibility of the IT department is counter-productive to the business. The marketing, finance, production and human resource representatives should be involved in the authorization design process.

This is because it is the business that will ultimately bear the consequences of a poorly secured system. Incidences of internal fraud are increasingly carried out in the ICT systems businesses use. This is because of the high level of dependency they have on these systems.

However these fraudulent attacks are aimed at the business processes which are reliant on the ICT systems. It is therefore logical that the internal fraudster uses the systems to achieve the end result of defrauding the company. This means that mitigating the risk of fraud and financial misstatements is not a purely ICT issue.

There is no excuse for ICT security not to be well-understood by the business side. It is for both business and IT departments to take the responsibility for ensuring that security of their systems are aligned and prioritized as a business issue.


All companies face risks to their businesses. Others succumb to them while others mitigate against these risks and prosper. There is however a soft underbelly for most companies. Their information and communication systems have emerged as critical vulnerabilities.

Preventing attacks to these systems is hard enough when faced with external attacks. Protecting an ICT system from an insider attack requires exceptional in-house ICT security capacity.

Stories abound of employees who have crippled companies through various activities. Sometime this year a disgruntled former employee of a pharmaceutical company in the US was charged with sabotaging the company’s IT infrastructure.

He had remotely logged into a hidden virtual server that he had created before he was dismissed. He used this server to take out all the company’s other servers for email, billing, stock control and others.

This is a nightmare scenario any Manager would want to avoid at all costs. How then can we protect ourselves against insider sabotage?

The first defense is separation of duties. This means having more than one person performing critical ICT tasks. It would therefore be difficult to commit fraud or sabotage the systems without collusion among the IT staff. It is advisable to augment separation of duties by implementing robust logging or monitoring systems that would record activity of critical systems.

Knowing who you are hiring to take care of your ICT systems is the second defense against internal sabotage. Doing background checks on potential employees is sensible.

If you hire a skilled database administrator who has a history of hacking, then you should be ready for the consequences when the inevitable hack happens. Employee vetting is a practice local firms should embrace as part of their hiring process.

Another line of defense is limiting the use of administrator accounts that are shared between IT staff. Administrator accounts are privileged user accounts that let the administrator make changes that affect other users. They can change security settings, install software, create email accounts and access all the files and systems in the company. A smart IT Manager will try and convince administrators that they don’t need keys to all the ‘digital gates’ in the company. This is because when a cyber crime happens it is usually the gatekeeper (administrator) who will be the early suspect.

Most incidences of ICT fraud and attacks are insider motivated. This threat should be addressed by all organizations that depend on ICT systems for their operations.


Whether you are thinking of protecting your personal data or safeguarding business data, there are five ICT security fundamentals that you should never forget.

The first one is never forgetting who uses what sensitive data. Data is not sensitive for all people across the board. A company’s strategic five year plan may be invaluable to investors and management but is quite useless to the messenger. Developing an inventory of sensitive data and who consumes the same is critical. This inventory will allow you to segregate data accordingly.

The second fundamental relates to the previous one and is the application of resources to its value. Once you have an inventory of our sensitive data you will have to apply various resources to protect it. A return on investment valuation on the security measures you will apply to various data categories needs to be conducted. For example what types of encryption will be purchased and applied for the various levels of sensitive data you possess.

The third fundamental concerns customer data. Never forget that retaining customer data is more of a risk than a reward. Service companies that retain huge databases of their customers should be aware of the high risk they expose themselves to especially if the data is widely accessible. An example would be that unprotected server that stores all the credit card numbers that your business has ever accepted.

The fourth fundamental that should never be forgotten is that the absence of a comprehensive regulatory compliance framework exposes all of us to undue risk. Various sensitive data elements exist in any organizations database for example medical records and credit card numbers.

We are yet to locally develop an all encompassing compliance framework that caters for data elements, for example medical records, in a particular sector and data as a whole in the marketplace. The Kenya Communications (Amendment) Bill, 2008 is not s sufficient framework.

Finally, don’t forget that risk assessments tend to understate the inherent risk of sensitive data. It is not sufficient to determine whether access controls, for example, are in place. The crucial point of focus should be measuring how effective any access controls that are in place can be used against a hacking attack.

A good example is password circumvention. This is done by employees so as to get around certain controls. A risk assessment will point this out. However taking it further by implementing data protection effectiveness metric will provide greater security.


There has been a significant surge of small and medium enterprises that conduct their business online. They are to be found in varied sectors from delivery, call centers, software programming, insurance brokerage, money transfer and many others.

These SMEs (Small and Medium Enterprises) are primarily a product of the rapid development of the digital infrastructure in Kenya. Wider coverage, faster internet access and cheaper bandwidth, compared to satellite, have spurred their growth.

SMEs use technology as a business leverage that enables them to reduce operating costs, enlarge their market footprint in East Africa and ultimately achieve sustainable competitive advantage over their direct competitors.

SMEs have therefore invested heavily in ICT but this reliance on technology creates a number of problems for them. One of their biggest headaches is ICT security.

SMEs that do not employ ICT security measures usually find themselves the victims of online threats. Valuable strategic plans are stolen, denial of service attacks can be aimed at their services and many other online threats could befall them. This is due to the cut-throat competition in this size sector.

SMEs could mitigate against the ICT security risks by doing the following. Getting a secure hosting provider would be a sensible place to start.

SMEs depend on their websites as the front facing their customers. These websites usually contain their email addresses, e-commerce engines and other valuable data. These websites can be hacked into if a web provider is dodgy.

Another must-do is blocking of all unwanted traffic – completely. SMEs operate on tight budgets and online downtime is usually very expensive to the company. It is therefore crucial to keep out unwanted ‘online visitors’. This can be done through a firewall. A firewall is software that filters incoming (and outgoing) traffic and is able to shut down traffic that it deems suspicious. It protects your resident server from attack.

The last must-do concerns Secure Sockets Layer (SSL) certification. SSL is a protocol for transmitting documents via the internet. It uses a strong scrambling technique that ensures information (for example credit card numbers) remain confidential during transmission.

SMEs can engage the services of reputable international firms like VeriSign or Thawte to certify their sites as secure.

SMEs are the backbone of our economy and as e-commerce gains a foothold in Kenya the onus is on them to reassure potential customers that it is safe to click and buy from their websites. This can only be achieved if they internalize ICT security as part of their business fundamentals.


Mobile phone hacking is now a reality. Your SMS messages and contacts were considered the most important data in your phone. Voice-mail (or voice messaging) had previously been ignored as a potential risk until revelations in the recent U.K. phone hacking scandal proved otherwise.

Voice-mail is a computerized system for answering and routing telephone calls. It also records, saves and relays voice messages and can also be used to page a phone number.

Voice-mail uses Personal Identification Numbers (PINs) to authenticate and access the messages. These PINs are usually four digits in length. PINs are used in phone networks where caller-ID is not available. Caller-ID is a feature in the phone network that provides subscribers the name and telephone numbers of a caller that appears on a phone display.

When caller-ID is available in a network then this caller-ID is used to allow someone access their voice-mail boxes. Accessing someone’s voice-mail is possible by pretending to be the genuine caller. This impersonation is called caller-ID spoofing. By using special software that hijacks a caller-ID, you can surreptiously listen to someone’s voice messages.

It is imperative that mobile phone networks implement measures that mitigate the risk of voice-mail hacking through caller-ID spoofing. Various conventional measures can be applied for example notifying users of repeated/failed login attempts to their voice-mail accounts.

Our mobile network providers should use mobile phone network-IDs instead of caller-IDs for authentication because the former are harder to spoof (impersonate).
Another very effective feature mobile providers can employ is by not allowing the masquerading of a calling ID when it is the same as the called number. This will prevent an impersonator being automatically admitted by the mobile provider’s filtering process.

As a voicemail user there are a few things you could do to secure your voicemail. If you use a PIN for your voice-mail, change it regularly. Just like your computer passwords that have to be constantly changed, so should you do the same for your voice-mail box.

You should also disable voice-mail if you do not regularly use it. This ensures that messages are not left on your voicemail account without your knowledge.
You should also look out for voice-mail alerts that don’t exist. Ever received a voice-mail alert and when you listen to the messages it’s the old ones that are playing?

Voice-mail hacking is a present day reality. You should report suspected breaches to your mobile provider and the relevant authorities.


Most of our mobile phones have a feature that allows you to identify the caller. If it is the landlord you want to avoid, just add his number to your contacts and switch on the Caller-Identification (C-ID) feature.

Caller-ID (C-ID) transmits a caller’s name and number to the called party’s network provider which then forwards this information to your phone. You can then decide to either pick or reject the call. Caller-ID is based on the informed consent principle.

C-ID is a powerful feature if linked to a database. The recent attempt to register SIM cards owners was a step in the right direction. A database of SIM owners would have eliminated anonymous calling that is currently rampant.

By using a database of SIM card owners the network providers can be able to ensure that mandatory C-ID is enforced. All calls would have a name and number indicated. This is a simple solution that could have been implemented to stop the threatening calls mobile phone subscribers receive.

C-ID however can be circumvented by new technologies that allow criminals to masquerade as other people and present a false identity. This is called Caller-ID spoofing. C-ID spoofing is where a criminal makes the call appear to have come from any name and phone number the criminal chooses. Caller-ID spoofing software easily allows criminals to lie about their identity and present false names and numbers which can be used to blackmail, threaten and defraud unsuspecting victims.

Imagine how useful this technology would be to the Kamiti fraudsters out there. A criminal would, for example, be able to impersonate one or our banks and convince an unsuspecting account holder to part with their ATM PIN.

This insidious crime is already with us and Caller-ID spoofing software is readily available in the internet.

C-ID spoofing is especially rampant with Voice over Internet Protocol (VoIP) or IP telephony systems that are in use by many multinationals in Kenya. VoIP basically allows you to use an Internet Protocol (IP) network such as the Internet to communicate via phones. The threat posed by spoofing is considerably higher in these systems due to the distributed geographic nature of the internet. Legal jurisdiction challenges therefore ensue.

SIM Card registration and implementing Caller-ID across all our networks is our first line of defense against the anonymous callers. Combating Call-ID spoofing is the next step in ensuring that we can identify all the callers in our phone networks.


Keyless or smart keys, for cars, have been around for some time now. Smart keys allows the driver to keep the keys in their pockets (or handbags) when unlocking, locking and starting the vehicle.

Keyless keys use proximity. As you approach the car your key is identified via one of the antennas in the car. A radio pulse generator in the key ‘greets’ your car and a ‘handshake’ ensues. The vehicle’s alarm is immobilized and the doors are automatically unlocked. Simply walking away from the car will initiate the lockdown process – door lock, alarm activation and complete engine shutdown.

The convergence of technology is best illustrated by the latest smart key – your smart mobile phone. The mobile phone as a smart key is currently confined to up-market cars but expect to see your Japanese model using it in the very near future. Your mobile phone will, very soon, evolve into the ubiquitous universal remote control device.

GSM mobile phones are using applications (apps) that provide the same functionality as the smart key. Mobile phones with the smart key are able to disengage the immobilizer and activate the ignition without inserting a physical key in the ignition. Communication between the mobile phone and with the vehicle’s receiver is software driven. This software is vulnerable to hacking.

A hacker can exploit vulnerability in the latest and most secure mobile phone standard today, the 3G/UMTS/WCDMA standard.

By reverse engineering the network and then closely monitoring it by using “sniffers”, it is possible to figure out the codes needed to send rogue commands to cars that use mobile phones as smart keys. This technique is popularly known as “war texting”.

By using a “souped-up” mobile phone it is possible to analyze a GSM network more extensively. Data received from the network can then be sent to a laptop in real-time. It would then be possible to send a random SMS to a mobile phone and obtain its network ID number. You can then use this information to attack the mobile phone that acts as a keyless key.

This exploit would then allow a hacker to send rogue commands from a safe distance.
As GSM and UMTS standards become more and more well known, security flaws and shortcuts of this network standard become more widely known among hackers.

As the mobile phone becomes a universal remote control device it is important to appreciate that technological advancement is usually accompanied by vulnerabilities.


You have most likely received those fraudulent SMS messages that try to con you out of your M-Pesa money. Social engineering is the primary technique used to ensnare the unsuspecting into sending money to these criminals popularly known as Kamiti conmen.

These ‘soft’ techniques will eventually become well known and the conmen will naturally innovate other methods of getting those PINs that reside in your mobile phone. They can do this in two ways – logically or physically.

You data can be pried out of your phone’s temporary memory (logically) or from your phone’s hard drive/flash card (physically).

Your temporary (or cache) memory is simply the information that disappears when you switch off your phone and is similar to the computer’s volatile memory. Examples would include your PINS, passwords or email messages.

Permanent data in your phone is usually stored in the internal drive or the flash card in most phones. This data remains there until physically changed, or deleted. The data is not lost when the power is turned off.

Temporary data (for example online banking or money transfer details) can be obtained from your phone by conducting a logical dump. This technique basically dumps all your temporary data into a destination within a few minutes. Obtaining a physical dump on the other hand is much easier because it simply entails the copying of your data that is stored in the internal drive or the flash card.

Another concern that you should be aware of is that data stored on some smartphones can be forensically restored or retrieved. Data stored on physical media such as the phone’s internal drive, or its flash card, can be restored even after deletion. This data can, for example, be deleted voicemail messages, emails, SMS messages, calendar events, deleted photos and typing cache (where an SMS can be retrieved even if the SMS was deleted before sending).

The main point to note is that the data in your phone is worth more than your phone many times over. This data can be obtained overtly and covertly. Deleting it does not mean it can’t be retrieved.

The sheer amount of your personal data that is in your mobile phone is enormous and how you protect it should be of paramount concern to you.