Tyrus Kamau is one of the celebrated digital security experts in Kenya. He shares with Dhahabu Kenya his journey to the ethical hacking profession, the good hackers (if they even exist) on how he grew into it, challenges, opportunities and where he feels pressure points exist to grow organizations.
What does ethical hacking mean?
Ethical Hacking basically means hacking into systems with the sole purpose of identifying it’s weaknesses before the bad guys do. It is a proactive defensive approach at cyber security.
How have you been involved in ethical hacking and from when?
I have been at it for the last 10 years now. I started off while still in campus as a hobby. It slowly developed into an obsession and since we didn’t have as many interconnected systems back then as we do now, the few I found gave me an adrenaline rush to push even further. Later on I got a job as a systems administrator and I did IT security as part of my job description. Eventually, companies had awoken to the realities of cyber security and became the head of IT security at Cellulant Group before transitioning to Bharti Airtel where I was the Head of Airtel Money Security across Africa. Later on I started my own consulting firm Euclid Consultancy Services LTD which I now ran full time.
How is hacking in general in Kenya perceived and practiced?
It has begun taking its roots with the advent of technology driven businesses. Most companies however consider the benefits of ethical hacking after being pressed to conduct audits for compliance reasons. Regulators such as the Central Bank of Kenya (CBK) and the Communications Authority of Kenya (CA) seem to push systems audits which involve elements of ethical hacking. Under Euclid Consultancy, we have a brand known as the AfricaHackOn which raises awareness to students encouraging them to pursue Cyber Security and Ethical Hacking careers since the market is now ripe for such skill sets. Overall, the practice is conducted by audit firms and private consultancies like ours.
Why should organizations and individuals know about ethical hackers?
I believe anyone would like to know their areas of weakness before the bad guys do. So essentially, most organizations fret at the thought of paying for ethical hacking services yet the reality of it is, you will be hacked. It’s just a matter of when that happens. In my years, I’ve seen companies incur not just financial losses but reputation and brand erosion, all of which would have been stemmed by conducting what is known as a Penetration Test and/or Vulnerability assessment. Needless to say, some companies don’t know who to engage and therefore proceed to cough out hefty amounts of money for mediocre services which in turn lead to compromise. The bottom line is, you need skilled ethical hackers to do the job. Someone who has been doing it properly for years, with a proven track record and even better, backed up by an authority. Just getting someone to show you how you can be hacked is as good as trusting anyone with a lab coat and a stethoscope to prescribe medication. Get a person who will show you how you will be hacked.
How is the business in ethical hacking in Kenya?
So far the market is cognizant of its importance. Given the fact that a regulatory body like the CBK has categorically stated that financial institutions need to have their systems audited regularly is an indication of ethical hacking’s adoption. Some businesses are also now willing to pay for services while others are still gambling with their investments and digital assets.
Which kind of institutions engage your services more and why?
Our clients range from financial institutions namely banks, saccos etc, service aggregators, NGOs, Government and academic institutions.
Financial services have more to lose monetarily, service providers’ deal with customer information which could be catastrophic once leaked or stolen. NGOs also have systems which handle sensitive data and so does Government. Academic institutions are interested in training programs, attachment opportunities for their students and they also offer a good ground for Research and Development.
Would you say it is a profitable business! Why?
Indeed just like every other business if properly executed it is profitable. My philosophy is to always deliver what the client wants in time and within budget. The customer is trusting you to identify their weaknesses which isn’t an easy thing to do. It’s akin to inviting someone to your house and asking them to find ways in which you can be robbed or even attacked. So buying and maintaining the customer’s trust is imperative and non-negotiable. The product packaging also has to be aligned to the customer’s business, their strategy and the customer’s customer.
What are the tenets of a good ethical hacker?
Ordinarily, you have to be trustworthy. It takes a great deal of self restraint to hack into a system and expose your findings to the public even without informing the customer. You cannot be driven by an ego or bragging rights. I’ve come across ethical hackers whose egos are bigger than them and eventually they get black listed from ever touching any customer’s system. In fact we are working towards a clearing house for ethical hackers which will allow customers to vet us before engaging us in any sort of consultancy. We also have other people offering substandard workmanship which hurts the market. All these are teething problems of an albeit, young profession.
What would be your comment in ensuring people are digitally safe? What are the pressure points and how can they be avoided?
A lot of training and awareness needs to go into educating people on the dangers that lurk in the technology space. From the choice of passwords to developing secure applications, there’s quite a lot that needs to go into decimating this knowledge. There are several initiatives we have been pursuing under the AfricaHackOn brand that have indeed raised awareness among different calibers of people. Most pressure points come from embracing technology without fully understanding it. For instance, social media poses several risks such as identity theft or having your account hacked. This stems from either not having a secure password or using the tools provided to secure your account. We also see a lot of what is known as Social Engineering where people receive fake SMSs requiring them to send money and they fall for such.
What would be your comment on online fraud in Kenya! How pervasive is it and what fuels it?
Online fraud hasn’t been very pervasive locally though it has started taking a sharp rise with the advent of e-commerce sites. An example of online fraud which we have observed keenly takes the shape and form of what are known as Man in The Middle Attacks which is propagated by people logging in to any free wireless network. This allows the attacker to hijack sensitive information in transit without your knowledge. We shall be showcasing such attacks at our 3rd AfricaHackOn conference July 28-29th at the Michael Joseph Center.
Have Kenyans embraced as you good people? Or they have misgivings about you really being ethical in what you do!
When we started off people didn’t want anything to do with us. Understandably so because the word “hacker” has a negative connotation. I personally made enemies years ago because no one really understood how one can make a career out of hacking. But with time, we have been embraced though we still have a few people who feel insecure about us simply because we might show their bosses they are just Wikipedia graduates with no real skills to match ;)
Your parting shot!
I would strongly encourage students or anyone interested to reach out to us. At AfricaHackOn, under Euclid Consultancy, we embrace new talent. We especially want to see more women take up this career. It is exciting and takes a very passionate individual to succeed at it. The learning process never stops and we are more than willing to help people launch their careers into ethical hacking and Cyber Security as a whole.