Posts
Picking up from where we left last time, the 'buggy code' in the IEBC vote tallying system seems to have gone the way of the dodo. No one is actively pursuing that angle anymore.
Nonetheless, let me put into perspective what the above 'hitch' could mean for our ICT landscape.
Kenya is well known for innovation in the mobile space. Most if not all banks are now running different mobile banking solutions which have among other benefits, make banking convenient. Since majority of the banks contract 3rd party vendors to execute their mobile banking strategies, the end customer has very little or no knowledge of what checks and balances have been employed by their bank. It is all a trust based on the fact that "since my bank always takes care of my finances, this solution shouldn't be any different." Banks will probably enforce their information security procedures (PCI/DSS or ISO 27001) to ensure the mobile banking platform meets the baseline requirements. If at all they exist anyway because I know just a handful of banks are ISO 27001 compliant. However, this leaves a gap in ensuring that the said bank also ensures the vendor also has a minimum baseline requirement to handle the customers data. This leaves every other vendor running off to develop and deploy their own solution based on their own understanding of what "security" is. The bank could also contract an external audit firm be for go live just to ensure that all loop holes are sealed. However this presents an interesting challenge. Locally, most audit firms come from a financial background and therefore perform systems audits based on templatized methodologies which are not exhaustive enough. Mobile banking hasn't been in the scene for a very long time so some of these audits barely look at the entirety of the ecosystem and the players involved and instead focuses on a few facets perceived to be risk factors. With this in mind, I know some banks which have paid dearly for failing to perform an exhaustive risk assessment prior to go live and interestingly enough, the compromises have all been internal.
To tie it all together, if the above system isn't open for scrutiny from a holistic risk approach, taking into consideration all the dynamics introduced by mobile commerce, then you can see how compounded the IEBC "multiply by 8" factor could cost financial institutions. It also paints a rather tainted picture of how Kenya's software development ethic is highly in question.
However, the Government hasn't turned a blind eye to this and after a successful launch of the National Cyber Security Master Plan
http://www.cio.co.ke/news/main-stories/kenya-launches-national-cyber-security-strategy-and-master-plan I can comfortably say that standards in development methodologies will be harmonized. The CBK also introduced stringent measures for banks
http://www.centralbank.go.ke/index.php/news/245-issuance-of-revised-prudential-guidelines-and-risk-management-guidelines-for-banks which came to effect in January. This means that most software houses will have no choice but to adopt existing Information Security standards.
As I conclude, I seemingly have a rather skeptical feeling that banks will embrace the above standards because from my interaction with some of the key banks around, only 3-5 are receptive. This applies to the Internet banking frontier as well. I have performed closed disclosures to some banks and they simply brushed it aside probably citing falsified assessments or otherwise. However, others have been very receptive and I guess it is just a matter of time before we can see any substantive progress in that direction.
So the IEBC bug isn't new to the infosec scene. It just metamorphosed into a national scale butterfly.
-ty
Nonetheless, let me put into perspective what the above 'hitch' could mean for our ICT landscape.
Kenya is well known for innovation in the mobile space. Most if not all banks are now running different mobile banking solutions which have among other benefits, make banking convenient. Since majority of the banks contract 3rd party vendors to execute their mobile banking strategies, the end customer has very little or no knowledge of what checks and balances have been employed by their bank. It is all a trust based on the fact that "since my bank always takes care of my finances, this solution shouldn't be any different." Banks will probably enforce their information security procedures (PCI/DSS or ISO 27001) to ensure the mobile banking platform meets the baseline requirements. If at all they exist anyway because I know just a handful of banks are ISO 27001 compliant. However, this leaves a gap in ensuring that the said bank also ensures the vendor also has a minimum baseline requirement to handle the customers data. This leaves every other vendor running off to develop and deploy their own solution based on their own understanding of what "security" is. The bank could also contract an external audit firm be for go live just to ensure that all loop holes are sealed. However this presents an interesting challenge. Locally, most audit firms come from a financial background and therefore perform systems audits based on templatized methodologies which are not exhaustive enough. Mobile banking hasn't been in the scene for a very long time so some of these audits barely look at the entirety of the ecosystem and the players involved and instead focuses on a few facets perceived to be risk factors. With this in mind, I know some banks which have paid dearly for failing to perform an exhaustive risk assessment prior to go live and interestingly enough, the compromises have all been internal.
To tie it all together, if the above system isn't open for scrutiny from a holistic risk approach, taking into consideration all the dynamics introduced by mobile commerce, then you can see how compounded the IEBC "multiply by 8" factor could cost financial institutions. It also paints a rather tainted picture of how Kenya's software development ethic is highly in question.
However, the Government hasn't turned a blind eye to this and after a successful launch of the National Cyber Security Master Plan
http://www.cio.co.ke/news/main-stories/kenya-launches-national-cyber-security-strategy-and-master-plan I can comfortably say that standards in development methodologies will be harmonized. The CBK also introduced stringent measures for banks
http://www.centralbank.go.ke/index.php/news/245-issuance-of-revised-prudential-guidelines-and-risk-management-guidelines-for-banks which came to effect in January. This means that most software houses will have no choice but to adopt existing Information Security standards.
As I conclude, I seemingly have a rather skeptical feeling that banks will embrace the above standards because from my interaction with some of the key banks around, only 3-5 are receptive. This applies to the Internet banking frontier as well. I have performed closed disclosures to some banks and they simply brushed it aside probably citing falsified assessments or otherwise. However, others have been very receptive and I guess it is just a matter of time before we can see any substantive progress in that direction.
So the IEBC bug isn't new to the infosec scene. It just metamorphosed into a national scale butterfly.
-ty
you know every time i read your blog i understand the ignorance Kenya security teams have.... they underestimate the power we have and they believe in this small perception that has grown a huge hole in their systems that Kenyans dont have hackers or we simply are to arrogant ....to them i say @_K_ing is watching... very closely thanks for the info man cheers
ReplyDeleteThank you nyoike for always taking time to read my opinion. We have time to remedy the ills in the info sec world, but we need to start now to build capability models which are unique to our economy.
ReplyDelete