Valuable Read: Kenya SACCO Cybersecurity Report for 2018

[Ed Cable <ed...@mifos.org>]

Hi community,

I thought this would be a valuable read for everyone - SACCOs are become a
lucrative target for cyber attacks and as one would expect most are
under-estimating in cybersecurity.

We as a community and partners in supporting individual institutions should
take into account what measures we can take as we deliver them solutions in
the cloud and help them with digital transformation.

You can download and read the report from Seriano at
https://media.licdn.com/dms/document/C4E1FAQHLuCFQsIiO7w/feedshare-document-pdf-analyzed/0?e=1545232378&v=beta&t=oo0Iyz-B5UJVgfLtCpFApxT8wAmyQrHKSV6_QqLOkLo



-- 
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>

Re: Valuable Read: Kenya SACCO Cybersecurity Report for 2018

[Ed Cable <ed...@mifos.org>]

Thanks James for sharing an updated link that works now and for providing
the valuable knowledge and context on the sector from your years of
experience working directly with both institutions as well as regulators.

Thank you for imparting practical advice and knowledge to our existing set
of users and recommendations on what to implement in Fineract/Fineract-CN.
Just this morning Avik was discussing Timeout OTPs on a call I was having
with him and I"ll let him share more of that on-list.

I will try to gather some of the top individuals in our community focused
on security so they can bring back additional thoughts and recommendations
to the community on list.

Ed

On Wed, Dec 19, 2018 at 9:44 AM James Dailey <ja...@gmail.com> wrote:

> Thanks Ed and Kevin... The link I found which works now is
> https://www.serianu.com/downloads/SaccoCyberSecurityReport2018.pdf . Good
> intro article in cybersecurity risks for small financial institutions of
> all kinds.
>
> Yes, SACCOS and SHGs (Self Help Groups) mostly predate the microfinance
> movement, and have been generally slower to become digital.  Many still
> operate on paper systems. Some are using Mifos. The report is not wrong to
> say that most orgs of this size and sophistication remain mostly ignorant
> or barely aware of their cybersecurity vulnerabilities. They also note that
> many (Kenyan) banks are not much better.
>
> Broadly speaking there is a growing cybersecurity threat directly
> proportional to the number of users and scope of use of the mifos/fineract
> systems. While other banking systems remain a much richer target for funds
> transfer exploits, our community of user-institutions are definitely not
> immune.
>
> I think the important take away for the fineract project is to make sure we
> are supporting encryption of data "at rest" and "in motion" (e.g. SSL),
> secure key-storage, One-Time-Passwords (better is Timeout OTP), as well as
> architecture that assumes it will be hacked and there is a way to
> *monitor*,
> *detect* (e.g. key logs characteristics are visible to admin and specific
> issues raise a flag), and subsequently *react* to any intrusion via such
> functionality as "holding suspicious transactions" or "review exceptional
> transactions reports".  When things are "to be implemented by the devops
> teams according to best practices" then that should be spelled out in
> guides.  This probably deserves more discussion.
>
> There are also probably several areas of non-functional system features
> which could be interesting for a developer to work on.
>
> Please report technical security issues to security@fineract.apache.org .
>
> @Jdailey67
>
>
>
>
> On Tue, Dec 18, 2018 at 10:04 AM Kevin A. McGrail <km...@apache.org>
> wrote:
>
> > I had to look up SACCO.  Surprised the document didn't spell it out
> > either.  It's Savings and Credit Cooperative Organizations for others :-)
> > --
> > Kevin A. McGrail
> > VP Fundraising, Apache Software Foundation
> > Chair Emeritus Apache SpamAssassin Project
> > https://www.linkedin.com/in/kmcgrail - 703.798.0171 <(703)%20798-0171>
> >
> >
> > On Tue, Dec 18, 2018 at 12:52 PM Ed Cable <ed...@mifos.org> wrote:
> >
> > > Hi community,
> > >
> > > I thought this would be a valuable read for everyone - SACCOs are
> become
> > a
> > > lucrative target for cyber attacks and as one would expect most are
> > > under-estimating in cybersecurity.
> > >
> > > We as a community and partners in supporting individual institutions
> > should
> > > take into account what measures we can take as we deliver them
> solutions
> > in
> > > the cloud and help them with digital transformation.
> > >
> > > You can download and read the report from Seriano at
> > >
> > >
> >
> https://media.licdn.com/dms/document/C4E1FAQHLuCFQsIiO7w/feedshare-document-pdf-analyzed/0?e=1545232378&v=beta&t=oo0Iyz-B5UJVgfLtCpFApxT8wAmyQrHKSV6_QqLOkLo
> > >
> > >
> > >
> > > --
> > > *Ed Cable*
> > > President/CEO, Mifos Initiative
> > > edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
> > <(484)%20477-8649>
> > >
> > > *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> > > <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
> > >
> >
>


-- 
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>

Re: Valuable Read: Kenya SACCO Cybersecurity Report for 2018

[James Dailey <ja...@gmail.com>]

Thanks Ed and Kevin... The link I found which works now is
https://www.serianu.com/downloads/SaccoCyberSecurityReport2018.pdf . Good
intro article in cybersecurity risks for small financial institutions of
all kinds.

Yes, SACCOS and SHGs (Self Help Groups) mostly predate the microfinance
movement, and have been generally slower to become digital.  Many still
operate on paper systems. Some are using Mifos. The report is not wrong to
say that most orgs of this size and sophistication remain mostly ignorant
or barely aware of their cybersecurity vulnerabilities. They also note that
many (Kenyan) banks are not much better.

Broadly speaking there is a growing cybersecurity threat directly
proportional to the number of users and scope of use of the mifos/fineract
systems. While other banking systems remain a much richer target for funds
transfer exploits, our community of user-institutions are definitely not
immune.

I think the important take away for the fineract project is to make sure we
are supporting encryption of data "at rest" and "in motion" (e.g. SSL),
secure key-storage, One-Time-Passwords (better is Timeout OTP), as well as
architecture that assumes it will be hacked and there is a way to *monitor*,
*detect* (e.g. key logs characteristics are visible to admin and specific
issues raise a flag), and subsequently *react* to any intrusion via such
functionality as "holding suspicious transactions" or "review exceptional
transactions reports".  When things are "to be implemented by the devops
teams according to best practices" then that should be spelled out in
guides.  This probably deserves more discussion.

There are also probably several areas of non-functional system features
which could be interesting for a developer to work on.

Please report technical security issues to security@fineract.apache.org .

@Jdailey67




On Tue, Dec 18, 2018 at 10:04 AM Kevin A. McGrail <km...@apache.org>
wrote:

> I had to look up SACCO.  Surprised the document didn't spell it out
> either.  It's Savings and Credit Cooperative Organizations for others :-)
> --
> Kevin A. McGrail
> VP Fundraising, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171 <(703)%20798-0171>
>
>
> On Tue, Dec 18, 2018 at 12:52 PM Ed Cable <ed...@mifos.org> wrote:
>
> > Hi community,
> >
> > I thought this would be a valuable read for everyone - SACCOs are become
> a
> > lucrative target for cyber attacks and as one would expect most are
> > under-estimating in cybersecurity.
> >
> > We as a community and partners in supporting individual institutions
> should
> > take into account what measures we can take as we deliver them solutions
> in
> > the cloud and help them with digital transformation.
> >
> > You can download and read the report from Seriano at
> >
> >
> https://media.licdn.com/dms/document/C4E1FAQHLuCFQsIiO7w/feedshare-document-pdf-analyzed/0?e=1545232378&v=beta&t=oo0Iyz-B5UJVgfLtCpFApxT8wAmyQrHKSV6_QqLOkLo
> >
> >
> >
> > --
> > *Ed Cable*
> > President/CEO, Mifos Initiative
> > edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
> <(484)%20477-8649>
> >
> > *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> > <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
> >
>

Re: Valuable Read: Kenya SACCO Cybersecurity Report for 2018

["Kevin A. McGrail" <km...@apache.org>]

I had to look up SACCO.  Surprised the document didn't spell it out
either.  It's Savings and Credit Cooperative Organizations for others :-)
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Tue, Dec 18, 2018 at 12:52 PM Ed Cable <ed...@mifos.org> wrote:

> Hi community,
>
> I thought this would be a valuable read for everyone - SACCOs are become a
> lucrative target for cyber attacks and as one would expect most are
> under-estimating in cybersecurity.
>
> We as a community and partners in supporting individual institutions should
> take into account what measures we can take as we deliver them solutions in
> the cloud and help them with digital transformation.
>
> You can download and read the report from Seriano at
>
> https://media.licdn.com/dms/document/C4E1FAQHLuCFQsIiO7w/feedshare-document-pdf-analyzed/0?e=1545232378&v=beta&t=oo0Iyz-B5UJVgfLtCpFApxT8wAmyQrHKSV6_QqLOkLo
>
>
>
> --
> *Ed Cable*
> President/CEO, Mifos Initiative
> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>
> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>