Tablets, phones, webcams - anything can attack you online

What you need to know:

  • Ideally, the Data Protection Act would be the reference point in mobilising both the public and private sector in having a harmonised approach to information security.
  • In other words, information security can only be guaranteed if all organisations are reading from the same information security page.

Last week popular internet sites like Twitter, CNN and others were hacked and their services disrupted.  Hackers directed millions of devices, owned by private individuals, to attack the internet's navigation system.

These devices included poorly protected computers, tablets, mobile phones, Wi-Fi routers, cameras and just about any device that can connect to the internet.

The devices were hijacked and given instructions to overwhelm selected machines, leading to denial of services to their users, hence the appropriate name – denial of service attack – for the phenomenon.

It is further defined as a distributed denial of service (DDoS) attack because there are many independent devices scattered across the globe participating in the attack.

Of course Twitter, CNN and others were able to get up and running within a few hours.  But is Kenya able to survive and recover from a sustained DDoS attack?

The more our private and public services move online, the more vulnerable we become. Imagine life without M-Pesa, Huduma centers, eCitizen portal or iTax, due to unplanned interruptions or attacks.

We have reached a point where life would be clearly miserable without these electronic services, and where their sustained absence may lead to social strife.

This alone should demonstrate the importance of information security in the public and private sectors.

Ideally, the Data Protection Act would be the reference point in mobilising both sectors in having a harmonised approach to information security.

The cliché that says "your security is only as good as your weakest link" can never be over-emphasised.

NEW MINISTRY GUIDELINES

It basically means that the overall security status of a country does not depend on the security status of one organisation, but on the consolidated security status of all organisations.

Your heavy investment in information security may amount to nothing if your neighbour has not invested at all. Unless they upgrade their security strategy, their computers can be easily hijacked and directed to attack your organisation.

In other words, information security can only be guaranteed if all organisations are reading from the same information security page.

So last week, the Ministry of Information, with technical support from ISACA-Kenya, launched the draft Information Security Policy and Procedure Manual for the public sector.

This manual contains important information security guidelines that touch on policies, processes and procedures necessary to ensure that public sector information assets are secure.

It is written in a format that would allow both technical and the non-technical leadership to identify their roles and effectively participate in the important exercise of protecting public sector electronic systems.

Ministries, parastatals and other government agencies, including county governments, are expected to adopt and integrate the information security manual within their operations.

This would guarantee a baseline information security framework that can enable Kenya to successfully recover from a sustained denial of service attack against our critical services.

It is critical that all public sector organisations adopt a unified approach to information security, since a weak link in any public sector entity becomes an entry point for the next attack.

We are, as the cliché goes, only as strong as our weakest link.

Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @jwalu