Cyber security is perceived to be a highly technical subject well understood by a select few. In addition, most people who talk about it generally don’t have their hands wrapped around the subject entirely. Even worse, pick anyone from the street and pose the question,
“What is cyber security?”
For most of us, we trust whoever is handling our information to take appropriate measures to safeguard it. A case in point is our banks. When you open an account with any bank of your choice, you trust the bank to take good care of your money and any other information entrusted to them. Occasionally, the bank might be hit by fraud but even then, the depositor’s money is “always” secured, through an insurance cover. With that in mind, you only have to worry about your business as usual, leaving the task of protecting your funds to the bank.
If we expand this scope further, we can extrapolate the same model to other entities that hold our information e.g. social media sites, email, mobile phone service providers etc. The big question though is, is there a way users of these services can pro-actively prevent their information from getting into the wrong hands? The simple answer is yes. The how, though, is a different ball game altogether. Let us start with the simplest of them: passwords. It has been preached over and over about the need to have a strong password. The reality of passwords though is that they are slowly proving not be as effective as they were once paraded to be. In other words, passwords are “dead”. This does not mean that we shouldn’t take measures to ensure we have non-predictable passwords say for our social media accounts, emails, Internet banking etc.
Another major concern I have about personal information being in the public domain is the standard “sign in” model employed in most buildings. When you want to gain access to most, if not all companies nowadays, you need to walk up to a guard who immediately asks you to sign in on some beaten up 4 Quire book. The details they collect from us are your name, ID Number, mobile phone number, company to visit, time in, time out and your signature. The next time you surrender this information, ask yourself, after the book is filled up, where does it go? Who is the custodian of all that private data collected? Do they have a Data Protection Policy which has principles drawn from the Kenya Data Protection Bill?
The very principles of Identity Theft, where one purports to be someone else, lie deep within the collection of the above information. Some may argue it is a far-fetched thought but if you look closely at what defines you within the “system”, you will be surprised just how easy it is to profile your behaviors and trends.
Our inherent propensity to trust people has been taken advantage of for the longest time. I once played on someone’s trust to gain access to a certain local bank. This is how it played out. It was on a Friday evening and as I was plowing through a social media site, I caught a glimpse of this Information Security consultant’s update about how he will have a ball with his colleagues at a certain pub. In the usual social engineering fashion, I “coincidentally” positioned myself in the same venue with him and his friends and after chatting up for about 30 minutes, I knew I had achieved what I was looking for so I left. The following Monday, I confidently walked up to the bank and at the reception, I asked to see this gentleman who was all too willing to let me in, under my guise of “I also have an ongoing assignment in the bank”, which I clearly did not have. So he led me to their IT department and it was all down hill from there.Moral of the story? Trust but verify. Beware of tailgaters who will pretend to have forgotten their access cards and have you open or hold the door for you.
Finally, there are great strides being made by the government to protect the public from cyber criminals. However, some ideas are rather far-fetched and ill informed. The declaration to register all Internet devices by KENIC (although later clarified but not in the dailies) was a clear indication of how misinformed some members of the public sector are regarding the subject. To register a device, it would mean surrendering the MAC (Media Access Control) address, which is simply the hardware ID. This by conventional wisdom can be faked or spoofed quite easily. Meaning that even if an entity does register the device, it can assume a different ID every time they connect to the Internet. Moreover, in this age of “anonymizing” your presence online, it will be self-defeating to again provide a spoofed MAC address and in turn capture a fake source IP address resulting in chasing after the proverbial wild goose.
AfricaHackOn aims to address the above challenges by raising a fresh breed of professionals who look at these matters from a fresh perspective. We have so far been in touch with universities, hosting bootcamps that introduce these concepts to brilliant minds. We want to breed entrepreneurs in this field, while at the same time raising awareness to the public to demand better quality of employees within government to front the National Cyber Security Master Plan which is long overdue.
The annual AfricaHackOn conference will be taking place on July 31st, 2015 at iHub. For more information on how to sign up, please visit http://africahackon.com/africa/conference.
Catch up with AfricaHackOn on Twitter: @AfricaHackon.
BY TYRUS KAMAU from ihub.co.ke