Monthly Archives: April 2018

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.


KWA UFUPI: Wakuu wa vitengo vya TEHAMA wamekutana kujadili changamoto na namna nzuri ya kuzitatua changamoto hizo katika vikao vilivyo kamilika Nchini Kenya.

Watunga sera na sheria mbali mbali wamekua wakifanya maamuzi ya TEHAMA bila kushirikisha wadau wa TEHAMA – Hii imekua moja ya changamoto inayo leta mkinzano wa utendaji wenye manufaa kwa wana TEHAMA maeneo mengi barani Afrika.

Mjadala ulioangazia umuhimu wa udhibiti na uangalizi wa watendaji katika sekta ya TEHAMA umeonekana kua mzuri ila umegubikwa na changamoto kadhaa kutokana na ushirikishwaji mdogo wa wadau ili kuweza kuleta mabadiliko kwenye sekta husika.

Mjadala huu umejadiliwa kufuatia kuwepo kwa sera mpya nchini Kenya itakayo rasimisha Wana TEHAMA na kuwataka watambulike kabla ya kuweza kuhudumu maeneo mbali mbali. Hili litafanana na tulicho nacho nchini Tanzania kwa wanasheria pamoja na wataalam wa maeneo mengine kadhaa.

Kinachotegemewa katika urasimishaji wa sekta ya TEHAMA na kumfanya mwana TEHAMA atambulike na kuhudumia katika sekta ya TEHAMA ni pamoja na  kupitia hatua kuu tatu ambazo ni, Kusomea – Usaili – Kupatiwa leseni ya kutoa huduma katika sekta husika.

Changamoto iliyo onekana ni pamoja na uwezekano wa kuua vipaji vya wabunifu wa TEHAMA ambao wamekua wakija na ubunifu wenye manufaa pasi na kua na ujuzi rasmi katika sekta husika.

Tumeshudia kuwepo kwa vijana walio somea fani nyingine tofauti na TEHAMA ila baadae kuja na Mifumo mizuri ya Kitehama iliyoweza kutatua changamoto mbali mbali katika maeneo yetu tofauti na wengine waliosomea fani husika na kushindwa kuwa wabunifu wa kuleta mabadiliko katika jamii zetu.

Kuna baadhi ya Mifumo tuko nayo maeneo mengi ambayo wabunifu wake hawakua na elimu ramsi katika sekta ya TEHAMA. Aidha, Swali kuu matumizi ya TEHAMA ya mekua kuna ulazima mhusika kua na elimu rasmi? Ilhali kila sekta inategemea TEHAMA na kuna uwezekano kila mwenye ujuzi wa fani yoyote akawa na uwezo wa kufanya vizuri kwenye mifumo ya TEHAMA.

GDPR (General Data Protection Regulations) Nchi za umoja wa ulaya wana mategemeo ya kuanza rasmi matumizi ya GDPR mwishoni mwa mwezi wa tano mwaka huu wa 2018 – Lengo kuu ni kulinda faragha za raia wake.

Hatua hii inaweza kuathiri maeneo mengi duniani Afrika ikiwemo kwani tumeendelea kufanya biashara na kuhudumia mataifa ya umoja wa ulaya ambapo inahusisha taarifa za wana jumuia ya ulaya kupatikana kwetu.

Mjadala mzito wa nini tutegemee pale umoja wa Ulaya watakapo anza rasmi matumizi ya GDPR katika taasisi zetu hususan za kifedha. Namna bora ya kuweza kulinda (faragha) za watumiaji mifumo ya kitehama katika taasisi zetu ili kuondokana na tunachoweza kukabiliana nacho baada ya kuanza rasmi matumizi ya GDPR barani ulaya.

CSIRT (Computer Security Incidence Response Team) – Tumekua na changamoto ya uwepo wa vitengo mahususi vya kukabiliana na matukio ya kihalifu mtandao katika taasisi na kampuni mbali mbali. Hili linatokana na uelewa mdogo juu ya umuhimu wa vitengo hivi mahsusi vyenye jukumu la kukabiliana na uhalifu mtandao.

Umuhimu wa CSIRT, namna ya kuanzisha na majukumu yake katika kila kampuni na taasisi ni mjadala nilio uongoza kuhakiki kila mmoja anafahamu hili.

Matukio ya kihalifu mtandao katika mataifa yetu yanayopelekea upotevu wa Fedha, upotevu wa taarifa, udukuzi wa mifumo na kadhalika yamekua yakijitokeza mara kwa mara yanayo acha athari kubwa kwa taasisi za serikali na binafsi maeneo mengi duniani.

Ni wajibu wa kila taasisi na kampuni kujua ina jukumu la kujilinda dhidi ya uhalifu mtandao na namna pekee ya kufikia hapo ni pamoja na kua na kitengo wahususi chenye jukumu la ulinzi mtandao pekee ambapo kitengo husika kitaweza kuhakiki usalama mtandao unakuwepo.

Aidha, kumekua na mijadala mingine mingi sana ambayo yote ilikua na lengo la kuhakiki tuna tambua namna sahihi ya kukabiliana na changamoto nyingi zinazotokana na uwepo matumizi makubwa ya mifumo ya TEHAMA yanayo rahisisha utendaji kazi katika taasisi na kampuni mbali mbali.


IN BREAF: Morocco will be hosting this year CyFy Africa where experts and practitioners from around the globe expected to discuss the future the technology holds for the Continent. CyFy Africa comes at a time when the world’s attention is centered on Africa’s rise towards becoming the next digital superpower.

Cyber Security and Global Stability, Data Security ,Securing the Future of Africa’s Mobile Market, A Normative Framework for African Cyberspace: Lessons from the AU Convention on Cybersecurity and Personal Data Protection (AUCC) are among the key agenda that will be discussed during this year event.

Other agenda are Human Rights in the Digital Age, The Future of Entertainment, Online youth investment: Successes, opportunities and challenges and Internet CapacityBuilding for Development 

I expect to join other cybersecurity expert and practitioners to address delegates during CyFy Africa 2018 event.
NEWS UPDATES: The JUTA Cyber Crime and Cyber Security Bill Pocket Book will be launched during the Lex-Informatica Annual SA Cyber Law & ICT conference 2018 in Johannesburg south Africa – The theme of the event is “Cyber Law in ICT Review”.
I’ll be joining other experts to discuss and enlightening delegates on keys issues people are facing in the world through topics like Cyber Crime, Cyber Security, Digital Forensics, Data Breach, Data Protection, Social Media Law, POPIA to mention a few.

In a few short years, African nations have already made the leap from responsive adaptation of imported technology to pioneering innovation across a host of digital service sectors such as finance, agriculture, education, and health.

The ascent of the ‘Silicon Savannah’ is evident from the emergence of hundreds of innovation hubs, technology related enterprises, and the heavy infusion of venture capital across the continent.

As the experience with the African Union Convention on Cybersecurity and Data Protection shows, the African Union (AU) allows the continent to put forth an African proposition on the digital space. Additionally, the continent has made great strides towards digital integration with the advent of the One Area Network initiative. The massive rollout of fibreoptic cables across the length and breadth of the region has catalysed the creation of scores of young tech entrepreneurs, who are eager to reap digital dividends.

Indeed, it is only a matter of time before the world’s most important innovations flow out of Africa. Structured around the broad themes of connectivity, digital inclusion, security, innovation and trade.


KWA UFUPI: TaskRabbit imekua muhanga wa uhalifu mtandao – IKEA, Imethibitisha. Hii ni katika muendelezo wa Programu tumishi (Applications) na huduma zingine za kimtandao kuingiliwa na wahalifu mtandao ambapo taarifa za watu zimejikuta katika mikono isiyo salama.
TaskRabbit iliyo anzishwa mwaka 2008 na Bi. Leah Busque iliyokua na madhumuni ya kutoa ajira zisizo rasmi kwa watu ambapo ilinunuliwa na IKEA mwaka 2017. Imekua ikitoa huduma zake kwa kujitegemea ndani ya mjumuiko wa makampuni ya nayo milikiwa na IKEA.

Program tumishi hiyo imekua ikitumiwa Zaidi na Raia wa Uingereza na maeneo mengine kujitafutia ajira zizizo rasmi kama kazi za ndani, kazi za bustani na nyinginezo ambapo wateja wa program tumishi hiyo na huduma za kimtandao zinazo shabiana na program tumishi hiyo imekua ikikusanya taarifa za watafuta ajira na wanao tafuta wakuwafanyia kazi hizo.

Mjadala wa wanausalama mtandao umeeleza taarifa binafsi nyingi za wateja zimekua zikikusanywa na sasa zimeingia mikononi mwa wahalifu mtandao. Prorgram tumishi pamoja na tovuti zimefungwa kwa muda kufuatia tukio hili.

Kamishna wa mawasiliano wa uingereza aamekiri kua na taarifa juu ya tukio hilo na ameeleza wanalifatilia kwa karibu. Aidha, TaskRabbit hadi sasa imekaidi kutoa ufafanuzi wa uhalisia wa tukio husika huku ikikadiriwa udukuzi umeathiri kwa kiasi kikubwa na huwenda umedumu kwa muda.

Kampuni imeeleza inafanya uchunguzi wa kina kufuatia tukio hilo huku ikewataka wateja wake kubadili maneno siri (Nywila) na kuahidi kutoa taarifa zaidi baada ya uchunguzi kukamilika juu ya athari Zaidi sanjari na kuwahakikishia wateja wake walioshindwa kufanya kazi zao kutokana na hitlafu zilizopelekea kufungwa kwa muda kwa huduma watapatiwa fidia.


WAMILIKI WA PROGRAM TUMISHI: Kumekua na msisitizo mkubwa kwa wanaotoa huduma za mitandao ikiwa ni pamoja na program tumishi kutakiwa kuhaki wanajipanga kulinda taarifa za wateja wao kabla ya kuanza kutoa huduma.

Aidha, Kutokana na wimbi kubwa la wahalifu mtandao kuingiza tarikishi zisizo salama kwenye program tumishi bila ya wamiliki kua na ufahamu – Tumetoa muongozo mpya wa kuhakiki wamiliki wanalinda wateja/ watumiaji na endapo itatokea wahalifu mtandao wakadhuru wakuwajibishwa awe ni mmiliki.

Itakumbukwa tukio la Uber ambapo mamilioni ya taarifa za watumiaji wa program tumishi hiyo maarufu kwa kutafutia watu usafiri ilijikuta matatani baada ya kutoa mwanya wa wahalifu mtandao kuingiza tarikishi zisizo salama zilizo pelekea mamilioni ya Taarifa kuingia mikononi mwa wahalifu mtandao.

WATUMIAJI WA PROGRAM TUMISHI: Awali ya yote kila mtumiaji wa program tumishi yoyote anatakiwa kutambua anajukumu la kutambua faragha yake inalindwa vipi na program tumishi husika.

Kumekua na nahatua mbali mbali ambazo tumekua tukizichukua kuhaki taarifa binafsi za watu zinakua salama lakini pia ni jukumu la mtumiaji kufuata maelekezo tunayo yatoa.

-         Kabla ya kupakua na kuijumuisha program tumishi katika simu yako, mahitaji yanakuwepo? Na ulazima wakua nayo unakuwepo?
-         Unaifahamu vizuri progam tumishi uitumiayo? Hususan inachochukua kutoka kwako kabla ya kukupatia huduma?
-         Unatoa ruhusa wa taarifa chache pekee kuenda kwenye program tumishi au unaipatia taarifa nyingi zaidi zinazo hatarisha faragha yako?
-         Unatumia Nyila madhubuti na kibadilisha mara kwa mara kujilinda binafsi?

Pamoja na jitihada kubwa ambazo tumeendelea kuzichukua – Changamoto kubwa imekua watumiaji wamekua na uelewa mdogo wa namna ya kujilinda binafsi inayo pelekea matukio ya faragha za watu kuingia mashakani kutokana na kuendelea kukua kwa uhalifu mtandao maeneo mengi duniani.