Professional Documents
Culture Documents
CYBER SECURITY
REPORT 2015
Ac hieving E nter pr is e
Cyb e r Resilien ce T h rou gh
Situationa l Awaren es s
Acknowledgement
Authors
Paula Musuva Kigen | Research Associate Director, Centre for Informatics Research
and Innovation (CIRI), Digital Forensics and Cybercrime Lecturer - United States
International University (USIU)
Carol Muchai | Information Security Consultant Serianu Limited
Kevin Kimani | Information Security Consultant Serianu Limited
Martin Mwangi | Information Security Consultant Serianu Limited
Barbara Shiyayo | Data Analyst Serianu Limited
Daniel Ndegwa | Data Analyst Serianu Limited
Brencil Kaimba | Data Analyst Serianu Limited
Faith Mueni | Data Analyst Serianu Limited
Sylvia Shitanda | Data Analyst Serianu Limited
Contributors
David Kabeberi - Managing Director, PKF Consulting
Joseph Mathenge - Chief Information Security Officer, Airtel Africa
Anne Kinyanjui - Partner, Iseme, Kamau and Maema Advocates
Wycliffe Momanyi - Chief Information Security Officer, KCB Bank Group
Edgar Mwandawiro - Head of Risk, Gulf African Bank
Evanson Ikua - Information Security Consultant
Collins Ngeno - Head of ICT, Nairobi Hospital
George Okwach - Head of Audit, Crown Paints Limited
George Kisaka - Head of ICT Audit, Britam Insurance
Tyrus Kamau - Information Security Consultant and Chair of the AfricaHackOn
a service.
In view of
this changing
environment,
organisations to
their operating
environment (ICT
infrastructure,
People, Partners
and Customers)
environment.
Local cyber
continuous
security
monitoring
and detection
methods
used by
cyber
criminals
methods. Their
cheaper as their
2012
2015
Ransomware
Database Transaction
Manipulation
Social Engineering
to provide local
industries with a
comprehensive view
of the ever-changing
cyber security threat
landscape and
enable them to make
informed information
risk management
decisions...
professionals
need to refer
to a quote by Sun Tzu which emphasizes the
Key Loggers
Stealing of Password
ATM Card Skimming
career is even
becoming
...our primary
objective...
Situational Awareness...
awareness programs.
requirements.
"With evolving
and dynamic
cyber-attacks, timely
sharing of cyber
incidents and
collaboration between
Government and
Industry will greatly
improve Kenyas
Cybersecurity
preparedness"
ICT PS
Mr. Joseph Tiampati
This years
report was
based on
feedback
from our
readers. As a
result of these
feedback we
William Makatiani
5
TABLE OF CONTENTS
03
Acknowledgment
06
08
Executive Summary
12
17
20
22
33
36
39
44
50
References
Executive Summary
The past year was a particularly tough period for local organisations
with respect to cyber security. The number of threats and data breaches
increased with clear evidence that home-grown cyber criminals are
becoming more skilled and targeted. This means that local organisations
will continue to lose as they scramble to change their defensive stance.
According to the latest internet usage report from
current conceptions
hyper-connected world
of tomorrow, it will
a non-computer crime,
connectivity.
versus
space in Kenya.
At Serianu, we have witnessed the ever-evolving
By the year 2017,
it is estimated
mobile broadband
subscriptions will
approach 80%
of the countrys
total population.
By the year 2020,
the number of
networked devices
Our
Priorities in 2016
Bonus Priority:
Vulnerability Assessment
and Penetration Testing is
not enough
Organisations need to implement holistic programs
that incorporate patch management, vulnerability
Organisation should
EVALUATE the need for
Managed Security services
10
reinforced systems.
local networks).
11
Threat
Landscape
Kenya Cyber Security Report 2015
Data Exfiltration
Organisations have lost control over sensitive
and protected data.
Cyber Criminals and trusted employees are
exfiltrating hundreds of gigabytes of sensitive
data from organisations daily. The increased
use of unauthorized cloud applications and
the uncontrolled adoption of BYOD has
weakened access controls, giving users a
complete access to large volumes of
sensitive or classified data.
1
Social Engineering
Database Breaches
2
3
Insider Threats
The enemy within is still alive and kicking.
Our research indicates that over 80% of system
related fraud and theft in 2015 was
perpetrated by employees and other insiders.
We are coming across numerous cases of
privileged users probing systems for
unauthorized access and attacking systems
for a variety of reasons including
disgruntlement, revenge, and financial gain.
VPM
5
Poor Identity and
Access Management
Uncontrolled identities and
access control are exposing
organisations.
Identity and access
management processes and
technologies are not well
adopted in most local
organisations. Leading to
unauthorised and inappropriate
access to highly sensitive
information.
12
Continuous Monitoring
and Response
Almost all organisations are not
prepared for cyber threats.
In our survey, we noted that majority of
the organisations are ill prepared to
monitor and respond to cyber attacks.
90% of Kenyan organisations have no
real-time insight on cyber risks, lacking
the agility, budget and skills to combat
rising cybercrime. Majority of these
organisations are unable to detect cyber
attacks using the existing systems and
processes.
7
Vulnerability and Patch
Management
The achilles heel of organisations
cybersecurity efforts.
Our study reveals that majority of
Kenyan organisations do not perform
regular vulnerability scans on their
network thus are unable to tell their
current security posture.
Security Awareness
Training
Ignore the weakest link at your own
risk.
Most organisations in Kenya spend a
significant amount of their annual
information technology budgets on
technologies and systems to harden
their infrastructure ignoring the
untrained, uninformed or unmonitored
users. Without training, most users in
Kenya don't have the skills and
knowledge they need to adequately
protect the organisations' infrastructure
and informaiton from cyber attacks.
8
9
port
10
13
the organisation.
14
Teenager hacked
the Deputy
President, H.E. Hon.
William Ruto's &
Kenya Defense
Forcess Twitter
accounts.
2014
In December
2014, phishing
attack on over
5,000 Facebook
users in Kenya.
Confidential
information
contained in a local
banks customer
database was
compromised.
Stolen credentials
were used to gain
access to the system
and approve the
fraudulent tender
request in the Ministry
of Devolution.
In Garissa, IFMIS
passwords of senior
county staff were
stolen and used to
make illegal
payments.
Chinese hackers
arrested with
sophisticated
hacking tools.
Electronic fraud
at a reputable
local bank by an
employee.
2015
15
cyber security. In
The issue around capacity building is one that will propel the
16
systems.
Manufacturing
Banking
Saccos
17
Telecommunications
Hospitality
Insurance
Professional Services
10
Retail
18
istorically, telecommunications
a switched-circuit-style network.
distributors.
19
$
$
ERP Automation
Many organisations are moving away
from siloed systems and adopting
enterprise wide systems (Enterprise
Resource Planning (ERP)) that automate
and integrate the organisations core
business processes. These organisations need
these systems (ERP) to be competitive.
Commercialization of Hacking
The hacking community has moved into
the commercial space by offering their
tools and skills as services that can be
paid for through untraceable virtual
currencies such as Bitcoin.
Industry Regulation
Regulation especially from the CBK is
forcing many regulated organisations to
20
Teleworking
Cyber Insurance
work-life balance.
Internet of Things
The Internet of Things (IoT) refers
to the ever-growing network of
physical objects that feature an IP
address for internet connectivity,
21
Summary of Findings
(35% of respondents).
22
research.
20%
while
LACK
cyber security budgets
28%
61%
Allow BYOD
79%
Allocate
LESS than Kshs.100,000
59%
While
21%
87%
Agree cybercrime
is a real issue
13%
Not an issue
Lack policies or
procedures
23
increasingly administered in
malicious software.
to these attacks.
continue to increase.
24
Cybercrime
is NOT an issue
while
99% Cybercrime
is SOLVABLE
1%
while
64%
ONLY
36%
while
73%
Do NOT report
cybercrime
27%
50%
Manring Se
Dont know
WHAT a CERT is
25
upto
57%
Better education of
users of the internet
14
cto
10
35%
13%
while
13
20%
Do NOT review
11
while
80%
27%
19%
3%
15
35%
SHARE information
to improve security awarenesss
while
24%
Use vulnerability scanning
and penetration testing tools
is
12
less
than
5%
NOT purchased
database security
monitoring tools
16
ONLY
33%
KNOW what is
cybercrime
26
93% of manufacturing
Manufacturing
Sector Analysis
33%
93%
DONT apply
risk
management
Agree cybercrime
is a real issue
3
90%
Allocate
LESS than Kshs.500,000
69%
while
DON'T believe
they are protected
against external attacks.
54%
95%
DONT know
WHAT a CERT is
4
27
28
86% of government
organisations are
concerned by
cybercrime.
86%
33%
Agree cybercrime
is a real issue
DONT apply
risk
management
85%
Allocate
LESS than Kshs.500,000
98% of government
organisations are convinced
that they are protected from
cyberattacks internally while
94% government organisations
are not adequately protected
from external attacks
98%
93 % DONT
know of the
existence of
Computer
Emergency and
Response
Teams (CERTs)
or their role.
94%
93%
DONT know
WHAT a CERT is
29
vulnerabilities.
30
JkXk\kfifccflkZ_\Xg\i
f]]$g\Xbgfn\i
GX^\-
:flekp9lj`e\jj
C`]\
GX^\()
GX^\).
G`cfkYi\Xk_\jc`]\`ekf
jc\\gpEXeplb`X`ijki`g
EF%(0/'
DFE;8P#;<:<D9<I(#)'(+
:Xi\]lcjk\gj]fi
df[\iXk`e^XgXe\c
NNN%9;8=I@:8%:FDBJ?-'sKQJ?(#.''sL>J?)#.''sI=i0''
A[doW<WY[Xeeaki[hibei[
c_bb_edi_d^WYa_d]iYWc
CfZXc`ek\ie\k
j\Zli`kpid
jXpjdfi\k_Xe
,#'''XZZflekj
fek_\jfZ`Xc
d\[`XgcXk]fid
n\i\Yi\XZ_\[
+
9PDL>8D9@DLK<>@
Fhk^maZg.%)))D^grZg?Z\^[hhdnl^kl
aZo^ehlmfbeebhglh_labeebg`lbgZaZ\dbg`
l\ZfmaZmeZlm^]_hkZr^Zk%Zeh\Ze\r[^k
l^\nkbmrkfaZlk^o^Ze^]'
Ma^ kf% L^kbZgn% lZrl bm aZl ng&
fZld^] Z D^grZg aZ\d^k pah [khd^
bgmhi^klhgZeZ\\hngmlh_?Z\^[hhdnl&
^klbgGZbkh[b%Fhf[ZlZZg]>e]hk^mZg]
nl^]ma^Z\\^llmhlheb\bm_ng]l_khfmahn&
lZg]lh_i^hie^ebgd^]mhma^[k^Z\a^]
Z\\hngml'
Ma^aZ\d^k\k^Zm^]Zp^[lbm^maZm
ehhd^]Z^lma^mb\ZeerlbfbeZkmh?Z\^[hhd
Zg]ihlm^]bmhgkZg]hfnl^kliZ`^l%
bgobmbg`ma^fmhob^pma^bk_kb^g]leZm&
^lmiahmhl%lZb]PbeebZfFZdZmbZgb%ma^
fZgZ`bg`]bk^\mhk'
Nl^klpah\eb\d^]hgma^ebgdp^k^
Zld^]mhikhob]^ma^bkeh`&bg]^mZbelZ_k^la
bghk]^kmhikh\^^]'Hg\^ma^r]b]mabl%
ma^bknl^kgZf^lZg]iZllphk]lp^k^\he&
e^\m^]bgmhZ]ZmZ[Zl^maZm\nkk^gmeraZl
.%))/^gmkb^l'
Ma^\r[^k\kbfbgZelma^gnl^]ma^
\Zimnk^]eh`&bg\k^]^gmbZelmhmZd^ho^k
Znl^kllh\bZef^]bZiZ`^Zg]p^gmhg
mhlheb\bmfhg^r_khfma^Z\\hngmhpg&
^kl_kb^g]lpabe^fZljn^kZ]bg`Zlma^
k^Zenl^k'
Hpg^klh_ma^\hfikhfbl^]?Z\^&
[hhdZ\\hngmlp^k^Zelh\hgmZ\m^]Zg]
bg_hkf^]maZmma^bkZ\\hngmlphne][^]^&
e^m^]b_ma^r]^\ebg^]mhiZrfhg^r&&kZg`&
bg`[^mp^^gLa.%)))Zg]La*))%)))&&
bgmh]b^k^gmfh[be^fhg^rZ\\hngml'
Mhgn]`^ob\mbflbgmhiZrbg`ni%ma^
_kZn]lm^klihlm^]fZeb\bhnlZg]ZeZkfbg`
f^llZ`^lhg[k^Z\a^]?Z\^[hhdiZ`^l'
L^kbZgn^lmbfZm^lmaZmob\mbflh_ma^Zm&
mZ\dlfZraZo^ehlmni?8:B@E>#GX^\+
9I@<=@E>
JX]Xi`Zfdi\m\Xcj`ek\i\jk
`eZXj_c\jj]Xi\ZfdgXep
JX]Xi`Zfd_Xji\m\Xc\[k_Xk`k_XjX
Zfdd\iZ`Xc`ek\i\jk`ek_\ZXj_c\jj
]Xi\gXpd\ekZXi[[lYY\[Dp(0-*#
n_`Z_glkjk_\k\cZfXdfe^k_\Y`^^\jk
Y\e\Z`Xi`\jf]k_\e\njpjk\d%
GX^\/
E<NJ@E;<GK?
B\epXj_`]kj]fZljkf
_`^_$i`jb^iflgj`e
^_kX^X`ejk?@M&8`[j
GX^\j(-$(.
;NLBG>LL=:BERuFhg]Zr=^\^f[^k*%+)*-
FIZ[d_[ihkb[im[h[
X[dj\eh9[djkc
A[doW<WY[Xeea
_dYeWbfbWdjj[dZ[h
KFGE<NJ
ki[hibei[c_bb_edi
_d^WYa_d]iYWc
9P9I@8EN8JLE8
Ma^Fbgblmkrh_>g^k`raZl]^gb^]
maZmbm[^gmm^g]^kbg`kne^lbg_Zohnk
h_hg^[b]]^kbgma^fnemb&[beebhglabe&
ebg`\hZeihp^kieZgm\hgmkZ\m'
>g^k`rikbg\biZel^\k^mZkr!IL"
Chl^iaGchkh`^lZrlbgZk^ierbg`Z_&
=ifdGX^\(
mhLa.)fbeebhgbgma^ ^lbgD^grZ'Ma^D^grZIheb\^Zg]ma^
]Zobmmhhg^h_ma^ehlbg`[b]]^kl
l\Zf'Ma^aZ\d^klnl^] <^gmkZe;Zgdh_D^grZmhima^eblmh_*),
i^mbmbhgmaZmma^m^g]^k\hffbmm^^]^&
_Zd^p^[lbm^lmhk^mkb^o^nl^kgZf^lZg] \kn\bZe`ho^kgf^gmp^[lbm^lmaZmaZo^
\b]^]mhk^&^oZenZm^ma^l^o^g[b]]^kl
iZllphk]lh_?Z\^[hhdnl^kl%ZikZ\&
_Zee^gik^rmhma^aZ\d^kl'
pahaZ][^^gdgh\d^]hnmh_ma^kZ\^%
mb\^k^_^kk^]mhbgm^\agheh`rcZk`hg
Ma^;Zgdbg`?kZn]Bgo^lmb`Zmbhgl
bg\en]bg`<^gmnf%Z_m^kbm_hng]maZm
J^[C_d_ij[h_Wb
Zliablabg`'
=^iZkmf^gm
eZlm r^Zk k^ihkm^] maZm
lhf^]h\nf^gmlp^k^ghmZoZbeZ[e^Zm
Ma^;nlbg^ll=Zber\Zgghmk^o^Zema^ aZ\dbg`h_\nlmhf^k[ZgdZ\\hngml&
J[dZ[h9ecc_jj[[Wj_ji
ma^\ehl^h_ma^[b]]bg`i^kbh]'
aZ\d^klb]^gmbmrhkma^p^[lbm^nl^]bg &fZbger[r[Zgd^fiehr^^l&&[^mp^^g
c[[j_d]ed:[Y[cX[h
Ma^ Fbgblm^kbZe M^g]^k <hf&
ma^l\Zf[^\Znl^ma^fZmm^kaZllbg\^
:ikbe+)*+Zg]+)*,e^]mhehll^lh_
fbmm^^Zmbmlf^^mbg`hg=^\^f[^k.%
+"(&')Wffhel[Zj^[
[^^gk^ihkm^]mhma^<r[^k<kbf^Ngbm
La*'-2[beebhg'
+)*,Ziikho^]ma^k^&^oZenZmbhgh_
h_ma^=bk^\mhkZm^h_<kbfbgZeBgo^lmb`Z&
GZbkh[bL^gZmhkFbd^LhgdhlMpbmm^k
h[#[lWbkWj_ede\i[l[d
l^o^gngln\\^ll_ne[b]]^kl'Ma^k^&
mbhgl!=<B"%pahZk^bgo^lmb`Zmbg`'
Z\\hngmpZlk^ihkm^]er\hfikhfbl^]
kdikYY[ii\kbX_ZZ[hi$
^oZenZmbhg
\hffbmm^^ k^\h`gbl^]
mablp^^d%^q^fieb_rbg`ma^n[bjnbmhnl
Ma^p^[lbm^%pab\aaZllbg\^[^^g
ma^ngZoZbeZ[bebmrh_]h\nf^gml[r
AFJ<G?EAFIF><#
mZd^g]hpg%pZlk^`blm^k^][rZD^grZg%
gZmnk^h_ma^\kbf^bgma^\hngmkr'
<E<I>PGI@E:@G8CJ<:I<K8IP
\hglb]^kbg`[hmama^aZk]Zg]lh_m
ahlm^]eh\ZeerZg]pbmaZLZ_Z&
Ma^ ?Z\^[hhd aZ\d&
\hib^lmaZmaZ][^^gln[fbmm^]%Fk
kb\hffh[be^iahg^gnf[^k
^klhi^kZmbhgaZllbg\^
Gchkh`^lZrl'
Zlma^\hgmZ\mebg^'
[^^g lanm ]hpg pbma
M[Wh[mW_j_d]
Ma^ILpZlk^lihg]bg`mh\eZbfl
kf<^gmnfmh[Z`ma^La*0-[be&
Bgm^kg^ml^\nkbmr[k^Z\a
ma^a^eih_IablaMZgd%Z
[rZ<abg^l^kfmaZmehlmma^\hZe
ebhgch['
\ehj^[l_Yj_cije
aZl[^\hf^Zl^kbhnlikh[&
NL&[Zl^] Zgmb&iablabg`
ihp^kieZgmch[%A<B@%maZmma^Fbg&
A<B@aZ]\eZbf^]bgZi^mbmbhgbm
e^f lbg\^ D^grZ bglmZee^] Yec[\ehmWhZWdZ lbm^ nl^] [r e^Z]bg` BM
blm^kbZeM^g]^k<hffbmm^^k^eZq^]ma^
e^]bgma^Ab`a<hnkmmaZmma^>g&
[khZ][Zg]
Bgm^kg^m pbma
kflebd^@hh`e^%RZahh
cWa[W\ehcWb
[b]]bg`kne^lmh^gZ[e^bgo^lmf^gm
K<E;<I#GX^\+
^k`rfbgblmkr%Zg]FhsbeeZmho^kb_rma^
ma^eZg]bg`h_ng]^kl^Z&
YecfbW_dj
[k^himb\\Z[e^lbgFhf[ZlZ
lZ_^mrh_p^[lbm^l'
:=<Bh\^kZmma^<r&
o^r^ZklZ`h'
;:@F==@:<I
[^k<kbf^Ngbmbg\aZk`^
<kbfbgZel aZo^ nl^]
h_ ma^ ?Z\^[hhd l\Zf
ab`a&li^^] Bgm^kg^m mh be&
e^`Zeerh[mZbgZg]laZk^\kn\bZenl^k bgo^lmb`Zmbhg\hgkf^]maZmL^kbZgn
bg_hkfZmbhgmaZmaZl\hlmfbeebhglh_ aZ]e^]Zk^ihkm]^mZbebg`ma^aZ\d&
\hfiZgb^lZg]bg]bob]nZel[beebhglh_ bg`bg\b]^gm'
L^kbZgnZiikhZ\a^]nlk^\^gmerZg]
labeebg`lZggnZeer'
ND [khZ]\Zlm^k% ;;<% eZlm p^^d ikhob]^]bg_hkfZmbhgZ[hnmma^Zee^`^]
k^ihkm^]maZmZ]fbgblmkZmhklh_ZKnl& \kbf^%bg\en]bg`]^mZbelh_hg^h_ma^
lbZg&[Zl^]lbm^bgemkZm^]mahnlZg]lh_ bg]bob]nZelpahpZlZ^\m^]%lZb]ma^
bgl^\nk^[Z[rfhgbmhkl%p^[\ZflZg] h\^kpah]^\ebg^]mh[^jnhm^]Zla^
<<MO\Zf^kZlbgho^k+.)\hngmkb^l% blghmZnmahkbl^]mhli^Zdhghg`hbg`
bg\en]bg`D^grZ%ND%IZdblmZgZg]Sbf& bgo^lmb`Zmbhgl'P^Zk^pZbmbg`_hkma^
[Z[p^%Zg]fhgbmhk^]ebo^_^^]l'
ob\mbflmh\hf^_hkpZk]Zg]fZd^Z
Bgma^iZlm*+fhgmal%ma^k^aZl[^^g _hkfZe\hfieZbgm%lZb]ma^h\^k'
Z[nbe]&nih_Bgm^kg^ml^\nkbmr[k^Z\a&
Ma^;nlbg^ll=ZberaZl^lmZ[ebla^]
ABLMHKB<MKBI
Ma^D^grZ<r[^kL^\nkbmrk^ihkmk^&
e^Zl^]bgCng^[rM^e^\hffngb\Zmbhg
L^kob\^lIkhob]^klh_D^grZ!M^lihd"
lahp^]maZm\r[^k&ZmmZ\dlfhk^maZg
]hn[e^]bgma^iZlmr^Zkmh.'-fbeebhg'
Pabe^ik^obhnlerfZgrh_ma^ZmmZ\dl
\Zf^_khfZ[khZ]^li^\bZeer<abgZ
ma^fZchkbmrh_ma^*'1fbeebhg\hfinm^kl
nl^]p^k^lmZmbhg^]eh\Zeer%bg]b\Zmbg`
maZmma^ZmmZ\dlp^k^_khfpbmabg'
Bglb]^kmak^Zm[r^fiehr^^lp^k^
^Zkeb^kmablr^ZkkZgd^]mhibgma^eblm
h_\r[^kl^\nkbmrkbldl_Z\^][rgZg\bZe
bglmbmnmbhgl%^li^\bZeermahl^maZmaZo^
^f[kZ\^]fh[be^Zg]hgebg^[Zgdbg`'
FkGchkh`^\bm^]Zghg`hbg`bgo^l&
mb`Zmbhgpa^k^o^^fiehr^^lh_Zeh\Ze
fb]&mb^k[ZgdZk^[^bg`bgo^lmb`Zm^]_hk
lm^Zebg`La+1)fbeebhg_khfma^bk^f&
iehr^k'Ma^\Zl^bl^qi^\m^]mhfho^mh
\hnkmmablfhgma'
Ma^Z\\nl^]Zee^`^]ermbgd^k^]pbma
ma^\hk^[Zgdbg`lrlm^fZnmahkblZmbhg
ikhmh\helZg]fho^]ma^fhg^rhnmmh
l^o^kZeZ\\hngmlmakhn`afh[be^fhg^r
Zg]Bgm^kg^m[Zgdbg`mkZglZ\mbhgl'
NL bg_hkfZmbhg m^\agheh`r `bZgm
B;Fbg:n`nlmlb`g^]Z]^Zepbmama^
`ho^kgf^gmmaZmpbeel^^bm]^o^ehi\r&
?\X[f]k_\:Xk_fc`Z:_liZ_Gfg\=iXeZ`jjg\Xbjn`k_<Zld\e`ZXcGXki`XiZ_9Xik_fcfd\n@X]k\ik_\p
[^kl^\nkbmrlreeZ[nl_hkg^pk^\knbml
@JK8E9LC j`^e\[Xaf`ekjkXk\d\ekXkJk>\fi^\:_liZ_#k_\gi`eZ`gXc>i\\bFik_f[foZXk_\[iXc#p\jk\i[Xp[li`e^
chbgbg`ma^iheb\^l^kob\^'
_`jk_i\\$[XpKlib\pkfli%Gfg\=iXeZ`jXcjf_\c[Xe\Zld\e`ZXcgiXp\i`ek_\Fik_f[fo:_liZ_f]Jk%>\fi^\Xe[Xgi`mXk\
<nkk^gmer%fhlm\r[^k\kbf^fZmm^kl
8=G
d\\k`e^n`k_GXki`XiZ_9Xik_fcfd\n@#c\X[\if]k_\nfic[j*''d`cc`feFik_f[foY\c`\m\ij%
Zk^aZg]e^][rlfZeeZm^Zfh_BM^q&
i^kmlma^D^grZ<hfinm^kBg\b]^gm
8_XZb\iXknfib%B\epXe=XZ\Yffblj\ij_Xm\cfjkd`cc`fejf]j_`cc`e^jkf_XZb\ij%=@C< K^lihgl^M^Zf[Zl^]Zmma^<hffn&
gb\Zmbhgl:nmahkbmrh_D^grZ'
maZmhg^h_ma^ob\mbflblZgnkl^ZmZ h_bfikho^]Bgm^kg^mbg_kZlmkn\mnk^%[nm
Ma^m^Zfl\hk^]nmrblmhebZbl^pbma
hma^k `ho^kgf^gm Zg] bgm^kgZmbhgZe
eh\ZeahlibmZe'A^k?Z\^[hhdZ\\hngm% ZelhZjn^lm_hk_Zf^Zg]p^Zema'
pab\abllmbeeng]^kma^aZ\d^kl\hgmkhe%
;^lb]^l%D^grZ]h^lghmaZo^^ghn`a [h]b^lmhmZ\de^\r[^k&\kbf^'
pZl\hfikhfbl^]bgeZm^H\mh[^kZg] ikh_^llbhgZelpah\Zg^^\mbo^erl^\nk^
a^k_kb^g]laZo^lbg\^pbk^]La*0%))) i^klhgZe]ZmZhkk^[n\r[^k&ZmmZ\dl'
ifnm^`b9d^'gZmbhgf^]bZ'\hf
>qi^kmaZ\d^klZkhng]ma^phke]Zk^
mhma^_kZn]lm^kl]b^k^gmF&I^lZZ\&
\hglb]^k^]a^kh^lZg]k^o^k^]bgfZgr
\hngml'
Lm^ia^gPZgcZeZ%ma^ob\mbflanl& jnZkm^kl%lZb]@^hk`^Gchkh`^%<>Hh_
=FIDFI<FE
[Zg]%lZb]ma^raZ]\hgmZ\m^]ma^<B= >Zlm:_kb\Zg=ZmZAZg]e^kl'Lhf^eh\Ze
K?@JJKFIP
h\^kbg\aZk`^h_ma^bgo^lmb`Zmbhg aZ\d^klZk^Z_m^kZlbfbeZklmZmnlZg]b_
J:8EK?@J
Zg]p^k^ik^iZkbg`mhfZd^Zgh\bZe ma^r\ZgfZd^lhf^fhg^rpabe^Zmbm%
:F;<FICF>
lmZm^f^gm'<r[^kl^\nkbmr^qi^kmllZrma^ ma^[^mm^k'B`ghkZg\^hgma^iZkmh_nl&
FEKF
^qihg^gmbZebg\k^Zl^bgma^gnf[^kh_ ^kl%bg\en]bg`\hfiZgb^l%Zg]eZ\dh_
nnn%Ylj`e\jj[X`cpX]i`ZX%Zfd'(())'(+
eh\ZeaZ\d^klblghmhgerZ]bk^\mk^lnem ^qi^kmbl^phkl^gma^lbmnZmbhg'
31
planning.
technology-enabled institutions
telecommunication players.
processes.
32
malicious traffic
reached the end-user
computers and
bypassed current
network security
solutions
atleast
infrastructure
devices (servers)
infected in ALL
organisations
15
68%
of attacks
were customized
malware
average of
infected end-user
computers sending lots
of traffic to malicious
hosts
ALL organisations
exposed to malicious
software that had
penetrated their
perimeter security
33
How do you
determine an infected
organisation?
Organisations
should investigate
whether their
protection
mechanisms
are sufficient
in todays
interconnected
world where
attacks are
growing in
complexity.
organisations
were
averaging
2 infected
infrastructure
hosts (servers),
15 infected
end user
computers
and 30
unauthorized
remote
connection per
day.
network.
logged activities, which takes way too much time and man
hours.
34
know how of what to look for and most managers are just too
35
67%
discovered devices
vulnerable to attack
75,000
discoverable devices
analysed
Microtik and
Cisco routers
are the most
vulnerable
enterprise
routers at 12%
and 5%
respectively.
40%
17%
Microtic & Cisco
most vulnerable
routers
30,000
routers analysed
Apache Tomcat
most vulnerable
web server
8,055
75%
Seventy Five Percent (75%)
consisted of IP Remote Access
surveillance systems like
Hikvision and Duhan CCTVs.
most vulnerable
6,500
65%
Mail servers
most vulnerable
applications & databases
7,000
enterprise applications
and databases analysed
devices analysed
36
50%
Missing Patches
20%
15%
11%
4%
phishing scams.
37
Kenya
Kenya Cyber
CyberSecurity
Security
Report
Report
2015
2015
46%
Port 5060 (SIP)
information as well as
enforcement mechanisms
Cybersecurity breaches
take place at multiple penetration points. Some non-technical
issues that need to be looked at as starting points include
portable devices (BYOD) policies, desktop & workstation security,
poor password protection, lack of encryption, employees lacking
security awareness and weak controls & protocols for access to
data (including remote access).
that their law firms take more steps to guard against online
your data, assessing the risks posed to this data and developing
These steps and others can help local law firms address their
38
77%
23%
Malware
Attacks
Denial of Service,
Adware & Spyware
Attacks
41,377
Malware Categories
68% of the malware category was uniquely customized
for the African Region. The Virut malware is slowly
penetrating the Kenyan cyberspace. Once it has
68%
Customized
Malware
Backdoor.Win32.PcClient
Is a backdoor Trojan family with
several components including a
key logger, backdoor
and a root kit.
MultiPlug.J Checkin
Win32.Sality
39
20%
11%
19%
China
United States
of America
Germany
46.165.211.163
United States
of America
66.135.48.23
40
3,998
vulnerabilities
2,813
vulnerabilities
2,687
vulnerabilities
Vu l n e ra bi liti e s
E xp loit s
2013
2014
2013
5191
7946
185
35%
increase
2014
391
53%
increase
41
Kenya
KenyaCyber
CyberSecurity
SecurityReport
Report2015
2015
testament to this.
etc.)
cybercrime cost.
withstand a cyber-attack.
42
4,365
vulnerabilities
43
total of 14 categories.
smaller organisations.
Organisations intending to be compliant to any of
As the 2015 report shows, most SMEs and African based
44
The Framework
The Serianu Cybersecurity baseline controls are
intended to address only the implementation and
management of cybersecurity practices associated with
information technology and operational consideration for
organisations operating in Sub-Saharan Africa.
cybersecurity-related activities,
programs, processes, or approaches
that organisations operating
in sub-Saharan African have
implemented.
These controls are designed to be flexible enough to
be used both by SME and sub-Saharan Africa based
organisations with mature cybersecurity and risk
management programs and by those with less-developed
programs. Each organisation will choose if, how, and
where it will use the Framework based on its own
operating environment. Choosing to implement the
Framework does not imply that an existing cybersecurity
and risk management approach is ineffective or needs to
be replaced. Rather, it means that the organisation wishes
to take advantage of the benefits that the Serianu Cyber
Security Framework offers. This framework is closed tied to
globally acceptable standards including COBIT, ISO 27001,
SANS 20 Controls, and NIST.
This section highlights Serianus 14 baseline controls.
We have also matched the top threats and risks activities
observed in the year 2015 as per the Kenya Cyber Security
report to these controls.
45
CATEGORIES
Cybersecurity
Program
Governance and
Strategy
Vulnerability &
Threat
Management
Failure to
identify all
possible risk
prone assets to
the organization
Inadequate
security
controls across
the business
User
Provisioning &
Access
Management
Insider
Threats
Lack of
monitoring
and incident
response
processes
Misconfigurations
Limited
budgets
Lack of
management
buy-in
Poor Identity
and Access
Management
Unauthorized
changes to
critical
systems
Lack of
vulnerability
and patch
management
Unauthorized
changes to
critical systems
Failure to
identify &
controls risks
inherent to the
organization
Mobile
Malware
Use of stolen
user accounts
Port
Scanning
Abuse of
privileged
accounts
Malicious
software
Network
Attacks
Password
sharing
Use of generic
accounts
Port
Scanning
Data
Exfiltration
Social
Engineering
Data
Exfiltration
Inappropriate
access to
systems
Email
Spoofing
Inability to
identify
common
threats with
industries
Unauthorized
changes to
critical systems
Network
Attacks
DDOs
Lack of
security
Awareness and
Training
Continuous
Monitoring &
Incident
Response
Inadequate
Database
Security
Failure to
resume
business
operations
Illegal use of
remote access
tools
Cybersecurity
Program Governance
and Strategy
Inadequate
security
controls across
the business
CONTROLS
Definitions
Limited
budgets
ISO 27001:2013
A.6.1.5
NIST PM
CYBER SECURITY
PROGRAM
MANAGEMENT
SITUATIONAL
AWARENESS
Failure to
identify and
controls risks
inherent to the
organization.
Inability to
identify
common
threats with
industries.
Global
Frameworks
Referenced
RISK
MANAGEMENT
INFORMATION
SHARING
Social
Engineering
AWARENESS
AND TRAINING
Lack of
security
Awareness and
Training
NIST SP 800-53,
PCI DSS 12.6,
ISO 27002
16.1.6 & SANS
ISO 27002
16.1.2
NIST SI 5
ISO/IEC
17799:2005
8.2.2
SANS CSC 9-1,5
NIST AT 1,2
Vulnerability &
Threat
Management
Social
Engineering
CONTROLS
ASSET
MANAGEMENT
Configuration
Unauthorized
changes to
critical systems
CHANGE
MANAGEMENT
Lack of
vulnerability
and patch
management
DDOs
Network
Attacks
Port
Scanning
THREAT AND
VULNERABILITY
MANAGEMENT
BOUNDARY
DEFENCE AND
BRING YOUR
OWN DEVICE
(BYOD)
MANAGEMENT
Mobile
Malware
Email
Spoofing
CONFIGURATION
MANAGEMENT
Definitions
Global
Frameworks
Referenced
NIST CM 6,
PCI DSS 2.2,
ISO 27001
CNSSI 4009 and
SANS CSC 3,10
NIST CM 5,
PCI DSS 6.4.5,
ISO 27002 7.3.1
and SANS
NIST RA 5,
PCI DSS 5,
ISO 27002 12.6CNSSI
4009 and SANS CSC
4-1,10
NIST SP 800-53,
PCI DSS 12.3
ISO 27002 6.2.2,
CNSSI 4009 and
SANS CSC 5-1,11
Data
Exfiltration
Inadequate
Database
Security
DATA SECURITY
MANAGEMENT
Failure to
resume
business
operations
Insider
Threats
Password
sharing
Continuous
Monitoring &
Incident
Response
Network
Attacks
CONTROLS
Poor Identity
and Access
Management
Abuse of
privileged
accounts
Unauthorized
changes to
critical systems
Inappropriate
access to
systems
IDENTITY AND
ACCESS
MANAGEMENT
Use of
generic
accounts
Unauthorized
changes to
critical systems
Illegal use of
remote access
tools
Data
Exfiltration
NIST 5.1.2,
PCI DSS 1,4,5, ISO
27002 10.1.1 and
SANS CSC 17-1, 3
BACKUP AND
RECOVERY
MANAGEMENT
User Provisioning
& Access
Management
Use of stolen
user accounts
Malicious
software
Lack of
monitoring
and incident
response
processes
Port
Scanning
Definitions
NIST 3.4.1,
PCI DSS 12.9.1,
ISO 27002
12.3.1 and
SANS CSC 8-1,4
Global
Frameworks
Reference
NIST AC-1,
PCI DSS 7,
ISO 27002 9.1.1
and SANS 15.4
CONTINUOUS
MONITORING &
INCIDENT
RESPONSE
References
Cloud Computing
Teleworking
https://en.wikipedia.org/wiki/Cloud_computing
http://onlinecareertips.com/2015/04/benefits-and-disadvantages-of-
http://www.itnewsafrica.com/2014/09/cloud-computing-set-for-
teleworking-an-employees-perspective/
massive-growth-in-sa-kenya/
http://www.webopedia.com/TERM/T/teleworking.html
ERP Automation
Internet of Things
http://www.automationmag.com/software/erp/1069-erp-success-
http://www.webopedia.com/TERM/I/internet_of_things.html
mitigating-failure-risks
http://www.kachwanya.com/2015/04/30/interent-of-things-in-kenya/
https://en.wikipedia.org/wiki/Enterprise_resource_planning
NFC
Managed Services
http://www.nearfieldcommunication.org/benefits.html
http://heartlandtechnologies.com/blog/7-advantages-managed-it-
http://www.nearfieldcommunication.org/nfc-security-risks.html
services
http://www.digitaltrends.com/mobile/nfc-explained/
https://en.wikipedia.org/wiki/Managed_services
http://www.nfcworld.com/2014/05/16/329210/safaricom-reports-
merchant-adoption-mobile-money-point-sale/
https://securityintelligence.com/is-nfc-still-a-vulnerable-technology/
Cyber Insurance
http://www.computerweekly.com/news/2240202703/An-introductionto-cyber-liability-insurance-cover
http://www.insurancegateway.co.za/Kenya/PressRoom/ViewPress/
URL=Cyber+liability+v+Commercial+Crime+Insurance+1#.Vgz0Svmqqko
Cyber Security Survey
https://www.cyberroad-project.eu/en/project/
BYOD
http://www.cert.org/incident-management/national-csirts/national-
https://www.sophos.com/en-us/security-news-trends/security-trends/
csirts.cfm?
byod-risks-rewards/what-byod-means-for-security.aspx
https://www.cvedetails.com/vulnerabilities-by-types.php
http://www.crn.com/slide-shows/security/240157796/top-10-byod-
https://www.giac.org/paper/gsec/317/default-password-threat/100889
risks-facing-the-enterprise.htm/pgno/0/1
50
VPM
port