Upload
dr-frederick-wamala
View
222
Download
0
Embed Size (px)
Citation preview
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
1/34
Dr. Frederick Wamala (Ph.D.), CISSP
Securing Africas speedyInternet for development
07 November 2009
Dr. Frederick Wamala (Ph.D.), CISSP
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
2/34
Dr. Frederick Wamala (Ph.D.), CISSP
One for the LawyersOne for the Lawyers
Opinions expressed heredo not reflect those of anypast, present, or future
employers.
All trademarks arethe properties of their
respective owners.
Source: Charlie Kaufman, IETF
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
3/34
Dr. Frederick Wamala (Ph.D.), CISSP
AgendaAgenda
We never imagined it this good.
The Cables
Impact on Internet Access
Potential benefits Hackers and espionage paradise?
Information Assurance
Discussion
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
4/34
Dr. Frederick Wamala (Ph.D.), CISSP
We never imagine it this goodWe never imagine it this good
As African Internet service providers connect to. Seacom how can we size up what this reallymeans? For me, this is easy. Thirteen yearsago we had our fantasies about what the Internet
and telecoms paradise in East Africa would looklike. We never imagined that it would be thisgood, that we would turn potential into reality insuch a big way so fast,
Adam Messer, Telecom Advisor, Tanzania/Germany
The East African Newspaper, 03 August 2009
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
5/34
Dr. Frederick Wamala (Ph.D.), CISSP
The Cables!The Cables!Source: Steve Song
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
6/34
Dr. Frederick Wamala (Ph.D.), CISSP
Coverage of the cablesCoverage of the cables
Seacom EASSy TEAMs WACS MainOne GLO-1 ACE
Length(km)
13,700 10,000 4,500 14,000 7,000 9,500 14,000
Capacity 1.28Tb/s
1.4Tb/s
120Gb/s 1.28Tb/s
3.84Tb/s
1.92Tb/s
640Gb/s?
1.92Tb/s
Completion July2009
June2010
Sept2009
Q22011
June2010
Nov2009
2011
Source: Steve Song
* EASSy Eastern African Submarine Cable System* TEAMS The East African Marine System* WACS West African Cable System* ACE Africa Cost to Europe
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
7/34
Dr. Frederick Wamala (Ph.D.), CISSP
Impact of new connectivityImpact of new connectivity
Stanford University Project:
Cables to reduce the cost of bandwidth per Mbps;
Cut Round Trip Times (RTT) from >~480 ms for a
geostationary satellite to 200-350 ms by usingshorter distance terrestrial routes;
Increase in capacity reduces congestion. Thus,more stable RTT and reduced packet loss;
Example, Uganda (August 09) RTT on Starcomlink to Italy reduced from 600ms to 200ms.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
8/34
Dr. Frederick Wamala (Ph.D.), CISSP
Potential BenefitsPotential Benefits
Cheaper and more reliable connectivity
Data Entry Services;
Business Process Outsourcing;
Call Centre Services and business support; Data warehousing;
Storage Area Networks; and
Software Development
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
9/34
8
A hackers Paradise?A hackers Paradise?
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
10/34
Dr. Frederick Wamala (Ph.D.), CISSP
ANC Website hacked July 2009ANC Website hacked July 2009
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
11/34
Dr. Frederick Wamala (Ph.D.), CISSP
Points to note: ANC attackPoints to note: ANC attack
Vendor designed and managed website;
Custom built web-application;
The Web Infrastructure not patched;
No incident management process; System owners unaware, ANC Spokesperson,
Brian Sokutu said that he would look into thematter, but could not do anything until Monday.
Embarrassing: ANC site linked to sleazy sites!
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
12/34
Dr. Frederick Wamala (Ph.D.), CISSP
North Africa attacks: 2007-2009North Africa attacks: 2007-2009
Political websites hacked
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
13/34
Dr. Frederick Wamala (Ph.D.), CISSP
Notes: North Africa attacksNotes: North Africa attacks
Hacking of political opposition websites in NorthAfrican countries: Tunisia, Libya and Mauritania;
Opposition and dissident websites de-faced;
Who is behind these attacks?
As Carl Philipp Gottlieb von Clausewitz opined,is there a reason not to say that this CyberWar isa continuation of politics by other means?
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
14/34
Dr. Frederick Wamala (Ph.D.), CISSP
Ministry of Defence Uganda: 2009Ministry of Defence Uganda: 2009
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
15/34
Dr. Frederick Wamala (Ph.D.), CISSP
Notes: Ministry of Defence UgandaNotes: Ministry of Defence Uganda
Ayyildiz Team hackers de-faced the Ministry ofDefence website with pro-Palestinian messages;
No incident detection process apparently sitede-faced for weeks without anybody noticing;
Web design company asked to remove offendingmessages but did not respond for about a week;
Foreign Affairs had to make clearthe posts did
not represent the views of [Uganda] government; Were other systems hacked during this attack?
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
16/34
Dr. Frederick Wamala (Ph.D.), CISSP
Foreign Affairs Uganda: 2008Foreign Affairs Uganda: 2008
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
17/34
Dr. Frederick Wamala (Ph.D.), CISSP
Notes: Foreign Affairs UgandaNotes: Foreign Affairs Uganda
Ministry charged with promoting Ugandas imageabroad encourage investors, tourism etc;
Site vital tool despite typos e.g. investiment
Website a risk (zombie), thus Google blacklisted it;
No incident detection process as Ministry wasunaware of the Google blacklisting;
Vendor did not fix problem in time; and
No evaluation of information loss or whether othersystems were affected by the incident.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
18/34
Dr. Frederick Wamala (Ph.D.), CISSP
From President to Cartoon: 2004From President to Cartoon: 2004
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
19/34
Dr. Frederick Wamala (Ph.D.), CISSP
Notes: Zambian AttackNotes: Zambian Attack
Young hacker broke into State House website andreplaced the picture of then president FrederickChiluba with a cartoon;
Web server likely poorly configured;
Hacker arrested and charged with defaming theHead of State but the case dropped as there wasno law to deal with cyber crimes;
Zambia's parliament unanimously passed a toughlaw to curb cyber crime with convicted computerhackers jailed for between 15 to 25 years.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
20/34
19
Espionage/hacking in actionEspionage/hacking in action
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
21/34
Dr. Frederick Wamala (Ph.D.), CISSP
A global paradise for hackers/spiesA global paradise for hackers/spies
Tracking GhostNet (29 March 2009): Documented evidence of a cyber espionage
network GhostNet infecting at least 1,295computers in 103 countries, of which close to 30%can be considered as high value diplomatic,political, economic and military targets.
A covert, difficult-to-detect and elaborate cyber
espionage system capable of taking fullcontrol of affected systems.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
22/34
Dr. Frederick Wamala (Ph.D.), CISSP
GhostNet .GhostNet .
The GhostNet Trojan is capable of taking fullcontrol of infected computers, including searchingand downloading specific files, and covertlyoperating attached devices, including
microphones and web cameras. Oncecompromised, files located on infected computersmay be mined for contact information and used tospread malware.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
23/34
Dr. Frederick Wamala (Ph.D.), CISSP
Notes about GhostNetNotes about GhostNet
GhostNet uses low key surveillance to get data; Trojan spread in seemingly genuine e-mail
messages and attachments;
Limited user awareness of cyber vulnerabilities;
Indeed, many users barely computer literate;
Users do not adhere to even basic security rules;
No vulnerability management or patching policies;
Besides, patching difficult on pirated software.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
24/34
Dr. Frederick Wamala (Ph.D.), CISSP
Lessons from hacked Africa sitesLessons from hacked Africa sites
Confidentiality, Integrity and Availability affected; Websites largely run by Third Party companies;
Security not in Service Contracts/No penalties;
Websites not patched or poorly configured; Incident Management processes not defined;
No business continuity and recovery plans;
Real Impact e.g. Diplomatic incident with Israel;
No evidence breach investigated/lessons learned.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
25/34
24
Information Assurance (IA) Value and ProcessInformation Assurance (IA) Value and Process
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
26/34
Dr. Frederick Wamala (Ph.D.), CISSP
What is Information Assurance (IA)?What is Information Assurance (IA)?
The solution to the issues is IA. It is defined as: The confidence that Information Systems will
protect the information they handle and willfunction as they need to, when they need to,under control of legitimate users.
Or: The confidence that risks to informationsystems are being properly managed.
- HMG Information Assurance Standard No. 2
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
27/34
Dr. Frederick Wamala (Ph.D.), CISSP
Why is IA vital for Africa?Why is IA vital for Africa?
Without IA, Africas newly acquired fast Internet linkswill fail to spur development because:
Confidentiality Limited confidence that accessto data is restricted to authorised parties only;
Integrity Low trust in the accuracy,completeness and hence reliability of information;
Availability Limited confidence that information,systems or physical assets will be available toauthorised users in a timely manner if required.
Thus, with EU, SEC, FSA etc rules, no IA meanslimited outsourcing business from the West.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
28/34
Dr. Frederick Wamala (Ph.D.), CISSP
Lack of IA institutional memory.Lack of IA institutional memory.
Silicon Valley - A product of work in the fields ofradio, television and military electronics;
Generous funding from an assured client DoD;
Companies and universities had follow DoD rules; CESG is the UK Technical Authority for IA;
Africa Computing business/private sector driven;
IA a nuisance in face of poor infrastructure/profit;
Governments relying on private firms to supply IT.Thus, inheriting a similar/reactive security view.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
29/34
Dr. Frederick Wamala (Ph.D.), CISSP
IA Institutional InfrastructureIA Institutional Infrastructure
National Security Strategy recognising thecritical role of IT in economic and military security;
Cyber Security Strategy;
Laws of EvidenceL
egal admissibility andevidential weight for electronic information;
Risk Management Identify Critical National ITinfrastructure and protect it accordingly
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
30/34
Dr. Frederick Wamala (Ph.D.), CISSP
Information Assurance controlsInformation Assurance controls
Procedural Controls Incident Management detect, analyse and resolve
Backup and disaster recovery fallback position
Audit and Monitoring help detect and analyse
Personnel Controls
Managing Third Party staff i.e. Enemy in the Gate!!
SecurityV
etting and Clearance regime W
ho are they? User Education and Awareness training Best defence
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
31/34
Dr. Frederick Wamala (Ph.D.), CISSP
IA controlsIA controls
Physical Controls Site security Control access to computer facilities
Backup storage to facilitate recovery from disasters.
Technical Controls
Robust infrastructure is your network bugged?
Adoption of security principles e.g. zoning
Service minimisation turn off services by default!
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
32/34
Dr. Frederick Wamala (Ph.D.), CISSP
Focus on security house keepingFocus on security house keeping
As GhostNet shows, educate your users!
Stop poor security practices e.g. ban use of Hotmailetc for government or corporate communication;
Insist on validated network equipment even if it ismore expensive at the start cheaper long term;
Note: Authorised insiders not hackers pose thegreatest threat to your IT systems;
Stringently vet vendor staff no spies may apply.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
33/34
Dr. Frederick Wamala (Ph.D.), CISSP
Make security breaches costly!Make security breaches costly!
US ChoicePoint fined $15m for failing to protectcustomer information; losing it to criminals;
UK HSBC Bank fined over 3m for not havingadequate controls to protect customers data;
UK PA Consultings 1.5m contract cancelled forlosing memory stick with 84,000 prisoner records;
UK Nationwide fined 1m over theft of employee
laptop containing sensitive customer data.
8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL
34/34
33
Dr. Frederick Wamala (Ph.D.), CISSPCybersecurity Specialist, UK
London, United Kingdom