Anda di halaman 1dari 16

COMESA Cyber Security and PKI Meeting

(Pre-event Awareness Workshop)

2 0 th N o v e m b e r 2 0 1 3

By:

Michael K. Katundu Director, Information Technology Communications Commission of Kenya (CCK)

Content
1. Introduction 2. Implementation of Kenyas National Management framework 3. Collaboration in Cyber Crime Management 4. Overview of Cyber Incidents in Kenya 5. How to Report Cybercrime attacks in Kenya 6. Kenyas Public Key Infrastructure (PKI) 7. COMESA Cyber Security and PKI Meeting Cybersecurity

Introduction
What is Cyber Security? Cyber security is the defense against Cybercrime or cyber-attacks. It is the defense against attacks on Information and Communications Technology (ICT) infrastructure. It is a means of safeguarding computer networks and the information they contain from penetration and malicious damage or disruption. What is Cyber Crime? Cyber crime refers to attacks on the Information and Communications Technology (ICT) infrastructure. Cyber-attacks are mainly directed to computer networks, computer data, Facebook, emails, Bank accounts and websites, among others. Cyber-attacks can lead to malicious damage or disruption of services, including loss of money. Cyber-attacks can be committed through the Internet using Computers, Tablets , Mobile phones, among others. Many types of cybercrimes are simply extensions of existing physical criminal activities.
3

Introduction (Contd)
National CIRTs A National CIRT is a technical cyber security management entity that acts as a Trusted Point of Contact for a given country where Citizens, regional and international communities report cybercrime incidents for assistance. To effectively discharge its mandate, best practice requires that a National CIRT establishes relevant partnerships at the National, Regional and International level. In Kenya the National CIRT is the KE-CIRT/CC Sector CIRTs This refers to a technical cyber security management framework that serves a particular industry. Examples include a law enforcement CIRT, a financial sector CIRT, a Telecommunications Operators sector CIRT, an Academia sector CIRT, among others Stakeholders interest groups are encouraged to form their respective sector CIRTs to coordinate cyber security management within their sectors, in collaboration with the National KE-CIRT/CC.

Introduction (Contd)
Cybersecurity management framework in Kenya includes: The Kenya Information and Communications Technology Sector Policy of 2006; The Kenya Information and Communications Act CAP411A of 1998; and The Kenya Information and Communications (Electronic Certification and Domain Name Administration) Regulations of 2010, among other legal instruments; The national Kenya Computer Incident Response Team Coordination Centre (KE-CIRT/CC)

Implementation of Kenyas National Cyber Security Management Framework


The Kenya Information and Communications Act CAP411A of 1998 mandates the CCK to implement Kenyas national cyber security management framework In October 2012, the CCK established the Kenya Computer Incident Response Team/Coordination Centre (KE-CIRT/CC), Kenyas national trusted point of contact for cyber security matters. The functions of the KE-CIRT/CC include;
Offering advisories on cyber security matters to its constituents and coordinating cyber incident response in collaboration with relevant actors locally, regionally and internationally. Gathering and disseminating technical information on computer security incidents; Carrying out research and analysis on computer security; Facilitating the development of a national Public Key Infrastructure (PKI); and, Capacity building in information security and creating and maintaining awareness on cyber security-related activities.
6

Implementation of Kenyas National Cybersecurity Management Framework


To enhance collaboration with local cyber security stakeholders, in April 2012 the CCK put in place the National Cybersecurity Steering Committee (NCSC) to facilitate the establishment of the national KECIRT/CC, as well as oversee the operations of the national KE-CIRT/CC. The NCSC is chaired by CCK and draws members from:
The Ministry of Information, Communication and Technology (MICT); Telecommunications Service Providers of Kenya (TESPOK), Internet Service Providers (ISPs) and Undersea Fibre Optic Cable Providers; Law Enforcement; Academia; The Financial sector; Critical Utilities Infrastructure entities (Kenya Airways, Kenya Civil Aviation, Nairobi Water and Sewerage Company, Kenya Pipeline Corporation, Kenya Power Limited and Kengen Limited); and Government Agencies.

Collaboration in Cyber Crime Management


To effectively discharge its mandate, best practice requires that a national CIRT establishes relevant partnerships at the National, Regional and International level. KE-CIRT/CC has established the following partnerships: National level: National cyber security Steering Committee (NCSC) whose members are drawn from the Ministry of ICT, TESPOK/ISPs/Mobile Operators, academia, the financial sector and the law enforcement; Regional level: EACO cyber security Taskforce (E.A Point of Contact) and other E.A National CIRTs; and International level: ITU, IMPACT, FIRST (ongoing), etc.

Overview of Cyber Incidents in Kenya

Source: KE-CIRT/CC 2013 9

How to Report Cybercrime attacks in Kenya


Cybercrime incidents can be reported to the KE-CIRT/CC through: Web portal: http://cirt.cck.go.ke/contact Email: cirt@cck.go.ke Tel: +254-703-0422000/446 or +254-20-4242000/446 Fax: +254-20-4451866 A letter addressed to: Director General Communications Commission of Kenya (CCK) Waiyaki Way P.O. Box 14448, 00800 Westlands NAIROBI, KENYA

10

Kenyas National Public Key Infrastructure (PKI)

11

Kenyas National Public Key Infrastructure (PKI)


A Public Key Infrastructure (PKI) refers to a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. A Public Key Infrastructure (PKI) creates digital certificates which map public keys to entities, securely stores these certificates in a central repository, and revokes them if needed. The PKI framework uses public key cryptography, a cryptographic technique that enables users to securely communicate on an insecure public network, and reliably verify the identity of a user via digital signatures.

12

Kenyas National Public Key Infrastructure (PKI)


Generally a PKI Consists of: Registration Authorities (RAs)
RAs are the first point of contact for prospective users of PKI services. The role of RAs is to verify the identity of a user. This function is usually performed by a Certification Authority (CA).

Certificate Authorities (CAs)


CAs issue and verify digital certificates that authenticate the identity of organizations and individuals over a public system like the Internet. The digital certificates are also used to sign electronic messages and documents, which ensure that the electronic messages and documents are not tampered with during the transmission process.

A Root Certification Authority (RCA)


RCAs accredit CAs who issue digital certificates to users. Accreditation ensures that digital certificates issued by the CA are recognized & trusted globally.

13

Kenyas National Public Key Infrastructure (PKI)


In Kenyas framework, the RA and CA functions will be performed by CCK licensed Electronic Certification Service Providers. The RCA is a regulatory instrument and thus this function will be performed by the CCK Already, the technical implementation of Kenyas PKI (RA, CA and RCA) is in place. The CCK is currently in the process of developing a licensing framework for the Electronic Certificate Services Providers (E-CSPs). The framework is currently available for public/stakeholder consultations until 25th November 2013.

14

COMESA Cyber Security and PKI Meeting


Objectives Sharing experiences among the COMESA member states on the implementation of national cyber security frameworks, national Public Key Infrastructure (PKI) and consideration of the COMESA cyber security and PKI road map.

Dates Venue Target Group

26th to 28th November 2013 Safari Park hotel, Nairobi Academia, financial institutions, cyber security committees/taskforces, investigators, judges, law enforcement, lawyers, national and sector CIRTs, prosecutors, policy makers, information security professionals, among other cyber crime management stakeholders.

15

THANK YOU katundu@cck.go.ke