Cyber-security is an effort that is undertaken to delay, detect or deter a cyber-attack.
A cyber-attack is any unauthorized access to an organization’s information or the information of clients.
Many Ugandans have fallen victim to cyber-attacks on their financial bases but only those who are brave enough can confront the banks or telecoms to get their money back.
Ugandan Banks have not given this problem the attention it deserves because many attacks go unreported yet this usually leads to credit risk.
Here is an example; If my credit card credentials are used to do online shopping, then I prove that I didn’t do the shopping in question, then the bank has credit risk.
Between October 2020 and August 2022, I surveyed thirty organizations to gauge their efforts in protecting their information and the information of their clients. A total of thirty-one organizations mostly in the financial sector.
Surprisingly, the organizations that hold the most sensitive information are the ones making the least effort to secure that information. Of the banks looked at, it was found that the Central Bank had some security weaknesses in protecting the information of its employees.
For example in April 2021, www.archive.bou.or.ug had an expired security certificate putting all the information in the digital archive at risk. A website security certificate is issued by a Certificate Authority and helps to encrypt information exchanged between the server and the user. While the cost of website certificates from Certificate authorities may reach thousands of dollars, free certificates are also available on the internet but not from Certificate Authorities. These free certificates are called Self Signed certificates.
In the same period under study, Stanbic Bank had two expired security certificates and this went on for 13 months demonstrating a high level of negligence!
DFCU servers were also found to be highly vulnerable to attack but no effort was taken to reduce the risk of attack probably due to using older legacy encryption.
Other organizations where a laxity in cyber security was seen, include the Uganda Police Force and MTN Uganda which top the list in the number of viruses on the network. The police seem to lack a policy on which devices can connect to their network.
The highest risk network is MTN partly because it shares its web servers with its customers and as a result virus and botnet infections are alarmingly high on the MTN network. MTN has also failed to address some common vulnerabilities such as CVE-2018-13379. Given the amount of business and personal information that is exchanged on MTN networks daily, MTN must improve its information security for the sake of its customers. The 2020 cyber-attack at MTN was due to insider threat management failure which could have been prevented.
In October 2020, Kenyan cyber-squatters set up a website resembling the Uganda Revenue Authority (URA) website to fool URA customers into making tax payments to bank accounts belonging to the cyber-squatters. The official URA website is www.ura.go.ug, the cyber-squatters set up www.ura.ug and many innocent taxpayers could have fallen prey to the fake website. I detected this fraud and alerted Commissioner General Mr. John Musinguzi who swung into action and the fake website was closed in two hours. This partly explains why URA is on top of the list because the mean time to detect a problem and the mean time to resolve that problem is some of the tools for evaluating security performance.
Around the same time, ninety-six websites resembling the official Stanbic Bank website were discovered. The official Stanbic website is www.stanbicbank.co.ug. The cyber squatters set up websites such as www.stanbicbank.coa.ug, www.ctanbicbank.co.ug, www.stanbacbank.co.ug, etc. Thirty days later, these fake websites were still active laying a trap for Stanbic customers yet it takes only 5 minutes to make a TAKEDOWN REQUEST to the registrar of domain names or other internet authorities.
For most of 2020, the website of the National Information Technology Authority had an expired security certificate while the ministry of Finance used a free security certificate. While it is okay for primary schools to use free security certificates, the use of such certificates will lower the online credibility of governments and other big organizations. It took the intervention of the then permanent secretary of the Ministry of ICT Mr. Vincent Bagiire to address the problems at NITA and the Ministry of Finance but it was too late, hackers penetrated the treasury.
Most of the organizations rated form part of the National Critical Infrastructure whose compromise can lead to a detrimental effect on the national economy, disruption of critical services, or loss of lives.
If one bank is hacked and collapses, this can bring down the entire banking sector, which in turn brings down the economy, leading to social unrest.
It is therefore recommended that the government of Uganda takes cybersecurity as a matter of national security.
The most impressive first installment would be to create cybersecurity awareness training in public and private organizations. When employees are trained, they become partners in fighting cyber crime. Moreover, there are eight possible sources of financing for cybersecurity.
Below, I show you the performance of randomly selected organizations in Uganda in November 2020. The results tell the state of cyber-security in Uganda.
Security rating considerations
1. Diligence: The steps a company has taken to prevent attacks
2. Compromised systems: Devices on a company’s network that show symptoms of malicious software, viruses, worms, etc.
3. User behavior: employees engage in risky behavior such as sharing media files on the company network
4. Mean-time to detect problems & Mean-time to resolve problems
From a scan of the UBA, the network did not return any results. UBA needs to create a local internet portal. Currently, UBA uses a Nigerian-based portal, thus it is difficult to see the events taking place on their network.
NOTE: Peter Kisitu is a Cyber-Security Analyst
Contact:Kisitu25@gmail.com and Mobile: +256759198398/+32487800535