[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Valuable Read: Kenya SACCO Cybersecurity Report for 2018

Thanks Ed and Kevin... The link I found which works now is
https://www.serianu.com/downloads/SaccoCyberSecurityReport2018.pdf . Good
intro article in cybersecurity risks for small financial institutions of
all kinds.

Yes, SACCOS and SHGs (Self Help Groups) mostly predate the microfinance
movement, and have been generally slower to become digital.  Many still
operate on paper systems. Some are using Mifos. The report is not wrong to
say that most orgs of this size and sophistication remain mostly ignorant
or barely aware of their cybersecurity vulnerabilities. They also note that
many (Kenyan) banks are not much better.

Broadly speaking there is a growing cybersecurity threat directly
proportional to the number of users and scope of use of the mifos/fineract
systems. While other banking systems remain a much richer target for funds
transfer exploits, our community of user-institutions are definitely not

I think the important take away for the fineract project is to make sure we
are supporting encryption of data "at rest" and "in motion" (e.g. SSL),
secure key-storage, One-Time-Passwords (better is Timeout OTP), as well as
architecture that assumes it will be hacked and there is a way to *monitor*,
*detect* (e.g. key logs characteristics are visible to admin and specific
issues raise a flag), and subsequently *react* to any intrusion via such
functionality as "holding suspicious transactions" or "review exceptional
transactions reports".  When things are "to be implemented by the devops
teams according to best practices" then that should be spelled out in
guides.  This probably deserves more discussion.

There are also probably several areas of non-functional system features
which could be interesting for a developer to work on.

Please report technical security issues to security@xxxxxxxxxxxxxxxxxxx .


On Tue, Dec 18, 2018 at 10:04 AM Kevin A. McGrail <kmcgrail@xxxxxxxxxx>

> I had to look up SACCO.  Surprised the document didn't spell it out
> either.  It's Savings and Credit Cooperative Organizations for others :-)
> --
> Kevin A. McGrail
> VP Fundraising, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171 <(703)%20798-0171>
> On Tue, Dec 18, 2018 at 12:52 PM Ed Cable <edcable@xxxxxxxxx> wrote:
> > Hi community,
> >
> > I thought this would be a valuable read for everyone - SACCOs are become
> a
> > lucrative target for cyber attacks and as one would expect most are
> > under-estimating in cybersecurity.
> >
> > We as a community and partners in supporting individual institutions
> should
> > take into account what measures we can take as we deliver them solutions
> in
> > the cloud and help them with digital transformation.
> >
> > You can download and read the report from Seriano at
> >
> >
> https://media.licdn.com/dms/document/C4E1FAQHLuCFQsIiO7w/feedshare-document-pdf-analyzed/0?e=1545232378&v=beta&t=oo0Iyz-B5UJVgfLtCpFApxT8wAmyQrHKSV6_QqLOkLo
> >
> >
> >
> > --
> > *Ed Cable*
> > President/CEO, Mifos Initiative
> > edcable@xxxxxxxxx | Skype: edcable | Mobile: +1.484.477.8649
> <(484)%20477-8649>
> >
> > *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> > <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
> >