git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Valuable Read: Kenya SACCO Cybersecurity Report for 2018


Thanks James for sharing an updated link that works now and for providing
the valuable knowledge and context on the sector from your years of
experience working directly with both institutions as well as regulators.

Thank you for imparting practical advice and knowledge to our existing set
of users and recommendations on what to implement in Fineract/Fineract-CN.
Just this morning Avik was discussing Timeout OTPs on a call I was having
with him and I"ll let him share more of that on-list.

I will try to gather some of the top individuals in our community focused
on security so they can bring back additional thoughts and recommendations
to the community on list.

Ed

On Wed, Dec 19, 2018 at 9:44 AM James Dailey <jamespdailey@xxxxxxxxx> wrote:

> Thanks Ed and Kevin... The link I found which works now is
> https://www.serianu.com/downloads/SaccoCyberSecurityReport2018.pdf . Good
> intro article in cybersecurity risks for small financial institutions of
> all kinds.
>
> Yes, SACCOS and SHGs (Self Help Groups) mostly predate the microfinance
> movement, and have been generally slower to become digital.  Many still
> operate on paper systems. Some are using Mifos. The report is not wrong to
> say that most orgs of this size and sophistication remain mostly ignorant
> or barely aware of their cybersecurity vulnerabilities. They also note that
> many (Kenyan) banks are not much better.
>
> Broadly speaking there is a growing cybersecurity threat directly
> proportional to the number of users and scope of use of the mifos/fineract
> systems. While other banking systems remain a much richer target for funds
> transfer exploits, our community of user-institutions are definitely not
> immune.
>
> I think the important take away for the fineract project is to make sure we
> are supporting encryption of data "at rest" and "in motion" (e.g. SSL),
> secure key-storage, One-Time-Passwords (better is Timeout OTP), as well as
> architecture that assumes it will be hacked and there is a way to
> *monitor*,
> *detect* (e.g. key logs characteristics are visible to admin and specific
> issues raise a flag), and subsequently *react* to any intrusion via such
> functionality as "holding suspicious transactions" or "review exceptional
> transactions reports".  When things are "to be implemented by the devops
> teams according to best practices" then that should be spelled out in
> guides.  This probably deserves more discussion.
>
> There are also probably several areas of non-functional system features
> which could be interesting for a developer to work on.
>
> Please report technical security issues to security@xxxxxxxxxxxxxxxxxxx .
>
> @Jdailey67
>
>
>
>
> On Tue, Dec 18, 2018 at 10:04 AM Kevin A. McGrail <kmcgrail@xxxxxxxxxx>
> wrote:
>
> > I had to look up SACCO.  Surprised the document didn't spell it out
> > either.  It's Savings and Credit Cooperative Organizations for others :-)
> > --
> > Kevin A. McGrail
> > VP Fundraising, Apache Software Foundation
> > Chair Emeritus Apache SpamAssassin Project
> > https://www.linkedin.com/in/kmcgrail - 703.798.0171 <(703)%20798-0171>
> >
> >
> > On Tue, Dec 18, 2018 at 12:52 PM Ed Cable <edcable@xxxxxxxxx> wrote:
> >
> > > Hi community,
> > >
> > > I thought this would be a valuable read for everyone - SACCOs are
> become
> > a
> > > lucrative target for cyber attacks and as one would expect most are
> > > under-estimating in cybersecurity.
> > >
> > > We as a community and partners in supporting individual institutions
> > should
> > > take into account what measures we can take as we deliver them
> solutions
> > in
> > > the cloud and help them with digital transformation.
> > >
> > > You can download and read the report from Seriano at
> > >
> > >
> >
> https://media.licdn.com/dms/document/C4E1FAQHLuCFQsIiO7w/feedshare-document-pdf-analyzed/0?e=1545232378&v=beta&t=oo0Iyz-B5UJVgfLtCpFApxT8wAmyQrHKSV6_QqLOkLo
> > >
> > >
> > >
> > > --
> > > *Ed Cable*
> > > President/CEO, Mifos Initiative
> > > edcable@xxxxxxxxx | Skype: edcable | Mobile: +1.484.477.8649
> > <(484)%20477-8649>
> > >
> > > *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> > > <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
> > >
> >
>


-- 
*Ed Cable*
President/CEO, Mifos Initiative
edcable@xxxxxxxxx | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>