Upload
cioeastafrica
View
627
Download
1
Embed Size (px)
Citation preview
Cyber Security Management in Kenya
Victor Kyalo
Kenya ICT Board
Agenda Background Global Cyber Incidents Mitigating Cyber Threats Conclusions National PKI Establishment
Background• 50 websites in 1993 up to 36M websites in 2001• Now 150M domains & 75M websitesClinton• 2billion users globally• 3.2M to 9M in 6 months (99% on GPRS/EDGE/3G)• 4 billion IPv4 addresses depleted….now IPv6Internet•5 billion subscribers globally•25 M in Kenya (more than 50% of the population)Mobile•500Mfacebook users•200M twitter accountsSocial Media•E-government: PSC, immigration, KRA, etc.•Banking, electricity, nuclear, cars, home appliances…Services•National Optic Fibre Backbone Infrastructure (NOFBI)•3 fiber optic cables to Kenya/East Africa (4th coming)Infrastructure
•No doubt Internet has grown in numbers and use•Focus is now changing to cyber security management.Conclusion
Background
Cybercrime
•A term used broadly to describe activity in which computers or computer networks are the tool, target, or place of criminal activity.•Takes a number of forms including identity theft, internet fraud, violation of copyright laws, hacking, computer viruses, denial of service attacks, cyber espionage and spam.•Many types of cybercrime are simply extensions of existing criminal activities•Was for fun now for profit, a multi billion dollar illegal industry ($1 trillion in 2009, FBI).
Cybersecurity
•A branch of computer technology known as information security as applied to computers and networks.•Objective of computer security includes:• protection of information and
property from theft, corruption, or natural disaster
• while allowing the information and property to remain accessible and productive to its intended users.
Global Cyber Incidents
Global Cyber Incidents•Attack on the Iranian nuclear power project which destroyed the nuclear plant centrifuges.Stuxnet•Google’s internal network was hacked – there was alleged theft of intellectual property.Google Attack
•Distributed Denial of Service (DOS) attack on EU email/web site services before a meeting to discuss the situation in Libya.
EU Internet Services
•Hackers replaced adverts with pornographic material.
Moscow Billboard Hacker
•1.2 million credit card details stolen.Heartland
Payment System
•“I’ve sent money by mistake, please send back!”
Mobile Money Fraud
Mitigating Cyber Threats(Efforts)
Mitigating Cyber Threats•WSIS Declaration of Principles2005•ITU Plenipotentiary Resolutions 130 and 1492006•EACO Cybersecurity Taskforce2009•Kenya Communications (Amendment) Act 20092009•Electronic Transactions Regulations 20102010•KE-CIRT CC establishment (CCK)Currently
Mitigating Cyber Threats: Kenya
•Section 2.11 of National ICT Policy of 2006 addresses ELECTRONIC SECURITYPolicy•Kenya Information and Communications ActLegal•E-Transaction Regulations 2010Regulatory•KE-CIRT under CCKTechnical
KE-CIRT
Mandate
• National focal point for:• Coordinating information
flow• Response to cyber attacks
and• Remediation of
cybersecurity incidents for Kenya
Functions•National POC on cybersecurity;•Coordinating cyber incident responses at the national level;•Liaise with local sector CIRTs, regional/international CIRTs;•Facilitating development of a national PKI framework;•Gathering & disseminating technical information on computer security incidents, vulnerabilities, security fixes;•Creating awareness;•Research and development on computer security.
KE-CIRT
Constituents
•Government•All other ICT Users
Partners•CCK•E-Government•Kenya ICT Board•Law Enforcement•Central Bank •KENIC•Association of ICT Operators (TESPOK)•Academia (KENET)•Developer Community
Conclusions
•Government and Private Sector•Building Trust Networks – security forumsPartnerships
•Policy•Legal•Regulatory
Flexible Frameworks
•Technical/Law Enforcement/Legal•Public Awareness (CCK)
Capacity Building
•InfoSec Policies•InfoSec Standards (PKI, Software Development, etc.)•Software Assurance Standards
Standards
•Information Security•Digital Forensics•Legal
Research & Development
National PKI Establishment (NPKI)(Work in progress)
1. Necessity of National PKI
2. The Status of InfoSec/PKI in Kenya
Contents
4. Questions
3. Steps of NPKI Establishment
1. Necessity of National PKI
2. The Status of PKI in Kenya
Contents
4. Questions
3. Steps of NPKI Establishment
PKI (Public Key Infrastructure)?
Client Cert
Server Cert
certificate
Directory Server
repository PKI Server
Server-side software
Client-side software
Personnel, policy, procedures, components and facilities to bind user names to electronic keys so that applications can provide the desired se-curity services.
Certificate Authority
Registration Authority
(PC/Phone/PDA)
PKI Client
Dig
ital
Sig
natu
re
Need for Digital Signature
Industrial Society
onlineOffline (face-to-face)
Informational Society
Risk of deceiving identity of sender Authentication Digital Signature
Risk of changing information on transmission Integrity Digital Signature
Risk of denying a fact information transmit Non-repudiation Digital Signature
Risk of exposing information on transmission Confidentiality Encryption
SolutionsProblems
Identification and Signature
For Authentication
NameSSNAddressIssued DateFinger Print
: Jaejung Kim: XX0921-152XXXX: SG, Seoul, Kr: 2002/6/1:
National ID Card
Reusable
Real World
NameSerial NoAddressValidity
Public Key
: Jaejung Kim: 883XXX8377: SG, Seoul, Kr: 2008/6/1~ 2009/5/31:
Accredited Certificate
CA’s Signature
Impossible to reuse
Digital signature using asymmet-ric encryption / decryption
method
Encrypted Private Key
+
Digital Signature
Cyberspace (Internet)
Signature or Signature-seal
Types of Certificates
Certificate Without Accreditation (or Private Certificate)
A certificate is issued by a certification organization that is not ac-credited by the government. It is used for a limited number of e-transactions
Accredited Certificate
The accredited certificate is issued by a CA, which in turn is desig-nated by the government pursuant to the laws after thorough screening, to be used for various e-transactions.
Category Accredited Certificate Certificate Without Accreditation
Level of technol-ogy and security
Passage of thorough screening pursuant to the law
Impossible to verify
Legal effect Valid as provided by the laws
Valid only by agree-ment
Compensation Easy to get compensated Hard to get compen-sated
Scope of appli-cable services
Wide Narrow
What happens if the country doesn’t establish a NPKI earlier?
• It will result in duplication of resources and confusion in policy-making because of absence of unified infrastructure.
• It will not grow its national competitive edge in the same re-gion because a country doesn’t accumulate and retain its own technologies related to security and certification.
• The interoperability issue among CA’s must happen due to ab-sence of united technical standards.
• It is difficult to build e-government framework because PKI is the mandatory infrastructure in e-government.
• It is hard to cooperate with other nations about international interoperability because of the absence of accredited CA.
• User or entities have to use a lot of certificate for each appli-cation.
1. Necessity of National PKI
2. The Status of InfoSec/PKI in Kenya
Contents
4. Questions
3. Steps of NPKI Establishment
Domain Information (April 2011)
Hacked/Defaced Websites 2007-2011 (.go.ke)
Hacked/Defaced Websites (.ac.ke)
Hacked/Defaced Websites (.co.ke)
Certificate Without Accreditation
Weak Authentication
Confidential Client Data
Accredited Digital Certificate (Trusted and Valid)
Accredited Digital Certificate + Human Verification
Encrypted Database (Anti-WikiLeaks)
1. Necessity of National PKI
2. The Status of PKI in Kenya
Contents
4. Questions
3. Steps of NPKI Establishment
Setup of Infrastructure for Internet Security
Government
Accredited CA
Application Service organizations or companies
USER
Root CA
PKI Model
Accredited Certificate
Accredited Electronic Signature
To establish safe and reliableInformation society
Establishment Law (Electronic Signature), PKI Stan-
dards
Building PKI Center
Developing PKI enabled Appli-
cations
License
Law, Policy,Standards
Certification Service
E-procurement,Internet Banking,E-commerce, etc
PKI-enabled Application Development
e-Government Applications
Petition Service- Identify oneself online by certifi-cates
E-Supply (G2B)- Online bidding with certificate
4 Major Insurances data exchange - Labor, Medical care, Pension, Industrial disaster - Internet access with certificate
National Financing In-formation System - Based on Internet bank-ing, etc
Taxation - National Tax Agency - Access with certificates
Regional Administration - Service for counties- Access with certificates
Education Administration System - Teachers can assess with cert.
Personal Management inside Gov-ernment
- All employees inside Government
Electric document system - Interoperable with other systems
Digital Signature & Seal- Distribute certificates- Develop and enhance system
adopting certificates
Enhance computerization- Sharing national resource information
Public Key Infrastructure(PKI Center)
Effectiveness of Expectations
Law, PoliciesStandards &Technology
PKI enabled Applications
Accredited CA
• Reduce the time and cost.• Convenience of application
like Online Civil Service, Internet Banking etc.
• Convert offline business to online.
• Provide more secure and safe of service.
• Increase the trust of company.
• Increase the confidence and trust.
• Ensure interoperability of PKI infrastructure with other Government.
• Establishment of National Security Plan.
USER Corporation
BackgroundBackground
Government
PKI is making up the safe and trustful environment using electronic signa-ture.
National PKI EstablishmentWin (User) – Win (Government) – Win (Company)
Asante!