Kenya Chapter Newsletter Vol 4/2018 Oct - Dec 2018

Name Dorine Nalo. Social Engineering AndIdentity Theft;A Case Study Of Sim Swap

. Upcoming Events

Dorine Nalo Manager, Digital Transformations and Robotics at EY also the ISACA Kenya Chapter SheLeadsTech Liaison.

Who is Dorine?I am a wife and a mother of two, passionate about technology because of the social and business solutions technology is able to deliver.

Education background?I grew up wanting to be a pilot but as I was waiting to join campus, I enrolled for a diploma course in Business Information Technology (DBIT) at Strathmore University and it is then that I decided to venture into the IT world.

I later pursued a bachelors’ degree in business information technology (BBIT) from the same university and it was then that we formed Student IT Association and I became the �rst female president of the AssociationOther quali�cations that I have achieved since then include: CISA, PRINCE2, CEH, CCNA, Change Management, Data and Analytics among others.

Career progression?I joined Ernst & Young as a Business Analyst ~ Technology & Risks Services. I have since grown in my career to the current position I hold, Manager - Digital Transformations and Robotics

When did you join ISACA?I have been a member since 2008 volunteering in various roles like presentations. One such instance is the Business Continuity Management presentation I did at Hilton Hotel

How has ISACA aided your career progression?It has brought me into a community of people with similar experiences helping me create a web of networks that is well versed in Tech. ISACA has granted me an opportunity to build my knowledge which is de�nitely a step up in my career progression.What do you do for fun?I love music, I used to be a vocalist in a Band before I joined EY.

I enjoy travelling and experiencing new cultures, watching plays and cooking

How do you strike a balance, being a mother, a wife and career?All these roles require dedication and commitment. I acknowledge that am not a super woman and will therefore ask for help where need be. Being Organized also works for me, At the beginning of the day I will prepare a checklist of what I need to accomplish in the course of the day. This helps me remain focused. When it comes to family, I believe what matters is quality not quantity, so I try to spend quality time with my family. quality time.

What is the whole idea of ‘SheLeadsTech?’ being the chapter’s Liaison?From studies conducted, women participation in Tech is low and this is quite unfortunate because through diversity women bring in fresh and new ideas. Convergence of ideas from both men and women brings prompt solutions to most issues in Tech and that is where SheLeadsTech comes in, to encourage the women in the technology space through a number of activities such as: • Creating awareness of the niche in Tech through events as well as creating safe spaces for women to share their stories in order to encourage others.• Training and upscaling the skills of women in Tech.• Running programs aimed at mentoring younger ladies in STEM• Building alliances with other likeminded institutions to scale up the program.

What improvement would you want to see in ISACA in terms of its communication with the members?I would suggest that the communication channels be diversi�ed. There’s also a need for agility which can be achieved through online events, podcasts and webinars. Clarity on the message being passed during online sessions and meetings should be enhanced. This is not to mean that physical meetings and events are not necessary but creating a blend of the two enables ISACA to reach a wider audience.

Word of advice to aspiring techies?Those aspiring to venture in the technology space need to be intentional, choose their path by �nding people who can mentor them, being open minded ready to learn new technology trends and being ready to work hard.

ISACA releases COBIT 2019. For more info visit https://bit.ly/1ngHgHy

Article by George Njuguna Karuru, info.solutionarchitect@gmail.com

SOCIAL ENGINEERING AND IDENTITY THEFT; A CASE STUDY OF SIM SWAP

Kenya Chapter Newsletter Vol 4/2018 Oct-Dec 2018

A research conducted by ISACA showed that the weakest link in every security posture is always the human element, which is a problem because the core asset of every business is its people. It is that human factor that makes social

Social engineering in the context of information security is the use of deception to manipulate individuals into

used for fraudulent purposes. Identity theft on the other hand is a crime in which an imposter obtains key pieces of

number, mobile money PIN, or SIM card PIN, among others in order to impersonate someone else.

One common type of social engineering in Kenya is the subscriber identity module (SIM) swap abuse. Sim card swap/replacement is the process of transferring all the details to a subscriber’s old phone number including airtime, data bundles and Mpesa balance to a brand new sim card. This is however abused and used against unsuspecting mobile users.

In the simcard swap fraud, the fraudster usually makes a call pretending to be an employee of a mobile network operator. When a mobile user picks the call, the fraudster then asks the unsuspecting mobile subscriber to share their personally

fraudster then goes ahead to swap the SIM card thereby gaining access to all the SIM services including mobile money transfer, mobile and internet banking, voice calls, SMS, data services and any other service that can be accessed through the SIM.

On 24th July 2018, Detectives from Central Police Station, Nairobi Kenya arrested three more suspects linked to the spiralling sim swapping scam amid on-going investigations. The three were arrested on Tuesday, in connection to a scam that saw a mobile subscriber lose Sh1.9 million. One of the key suspects was a customer care executive in one of Kenya’s telecommunication company who has since been dismissed.

The Directorate of Criminal Investigations (DCI) in Kenya on August 8, 2018, reported that a total of 30,000 sim cards, hundreds of mobile phones, 2 laptops among other electronics had been recovered after four suspects were arrested in connection with sim swap fraud that brought the total number of people arrested in connection with the case to 22, among them telecommunication employees and university students.

The Communication Authority and the network operators in Kenya has run a campaign to warn users against sharing

they are sure of the person they are corresponding with.

The Authority, on Thursday of July 19, 2018 and in line with its mandate of sensitizing and awareness creation on Cyber security related matters, advised the public to beware and put in place the following preventive measures including:• Be Cautious. Do not respond to calls or emails asking for

whom the person you are corresponding with. Always verify

care contacts of the service provider.

If you get asked to respond to a request with personal information, then it’s a scam.• Your PIN is your Secret. Never divulge any of your PINs to anyone, not even the mobile money service provider or agent.

If the request conveys a sense of urgency, or uses high-pressure tactics be sceptical; never let their urgency

• Research the facts. Be suspicious of any unsolicited messages or requests. If the request looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory

organizations do not contact you to provide help. If you did

• Report Fraud Cases. Immediately report any such incidents to the Service Provider, the nearest Police Station or to the National KE-CIRT/CC through Tel Hotlines: +254-703-042 700, +254-730-172 700, email: incidents@ke-cirt.go.ke or forward the fraud SMS and fraudster contacts via text to 333.

ng-to-SIM-Card-Swap-Fraud.pdf

https://www.isaca.org/Journal/archives/2015/Volume-3/Pages/the-underestimated-social-engineering-threat.aspx

https://cybersecurity.isaca.org/csx-threats-and-controls/threats/social-engineering

http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=647

REFERENCES:

Kenya Chapter Newsletter Vol 4/2018 Oct-Dec 2018

Q3 SUMMARY IN PHOTOS (2018)

ISACA Kenya President, Denis M. Mutinda addressing participants of theSheLeadsTech Evening talk.

Panel discussion during the SheLeadsTech workshop

Dorine Nalo, SheLeadsTech Liasion - ISACA Kenya Chapter. Jo Stewart-Rattray, Chair of ISACA's Women Leadership Council.

Alisha Wenc, ISACA SheLeadsTech Program Manager. Laura Chite, CEO of CIO East Africa.

Audience following the proceedings of the SheLeads evening talk. Group photo for the SheLeadsTech workshop participants.

When you bring a new member to ISACA they will save US $10 on their membership application fee and you get a reward. For you to earn rewards through the Member Get a Member program, your colleagues must enter your ISACA Member ID number when joining.

The more you recruit, the better reward you will receive!Visit http://isacamgam.org/ to see the fantastic rewards.

To All ISACA Kenya Chapter Members

take place on Saturday 24th November 2018, at Best

Avenue, Nairobi from 10:00am. Parking will be arranged at the hotel. Please ensure you obtain a ticket for parking which will be stamped at the reception of the hotel at the time of your leaving. Therewill be exciting giveaways for members who will attend.

Kenya Chapter Newsletter Vol 4/2018 Oct-Dec 2018

NOTICE OF ISACA KENYA CHAPTER ANNUAL GENERAL MEETINGISACA MEMBER GET A MEMBER PROGRAM

2019 Membership Renewal

KnowledgeSavingsAccess

*Log on to www.isaca.org, and select ‘My ISACA’ to view your membership status, report CPEs, obtain your invoice and pay.

* You can pay via card or wire transfer as per the details on the invoice. Indicate your member number as the reference.

*We can assist as necessary by communicating to your employer about the renewal.

Bi-monthly ISACA Journal Webinars Whitepapers and publications Audit/Assurance ProgramsStandards,

guidelines and procedures COBIT 5 Family of Products

Cybersecurity Nexus (CSX) publications

member rate on CISA, CISM, CRISC and CGEIT exam registrations Discounts of up to 20-30% on exam preparation materials Conference discounts

Discounts on online courses

Professional networking locally and globally Open Engagement and volunteer opportunities available

Events and training Business and social events

Questions, volunteer opportunities assistance or concerns can be channeled to admin@isaca.or.ke.

Kenya Chapter Newsletter Vol 4/2018 Oct-Dec 2018

2018 February-May CISA Exam, Mrs. Lucy Wanjiru Muiruri, CISA,CISM

2018 June-September CISA Exam,Mr. Josphat Kyalo Kinyumu & Mr. Urbanus Muange Mwanzia

2018 February-May CISM Exam,Mr. Alfred N. Magara

2018 June-September CISM Exam,Ms. Catherine Kathuni

2018 February-May CGEIT Exam,Ms. Elizabeth Ochieng, CISA,CGEIT,CRISC

2018 February-May CRISC ExamMs. Elizabeth Della Akinyi Ayugi, CISA,CISM,CRISC

2018 June-September CRISC ExamMr. Kabuthia Riunge, CISA,CISM,CRISC

Upcoming CPE Events

1. Evening Talk: Use of Data Analytics in Internal Audit

Venue: Bestwestern Plus Meridian Hotel, Nairobi.

Date: 29th November 2018

Charges: Members - Ksh. 1,000 Non-members - 1,500

Registration:

https://goo.gl/forms/Arf40WzYAdP2LIez1

2 CPE hours

2. Inter-varsity CISA Bootcamp

JKUAT University Town Campus - JKUAT Towers (former ICEA

Building) Kenyatta Avenue CBD

Date: 26th to 30th November 2018

Cost: Ksh 10,000/= per student (non-member)

Ksh 7,000/= per student (member whose membership is

renewed for 2019)

Registration:

http://bit.ly/ISACA2018

Note: This bootcamp is open only to currently enrolled

university students.

3. IT Audit Technical Training

PrideInn Paradise Beach Resort & Spa, Mombasa

Date: 2018 3rd to 7th Dec 2018

Charges: Members - Ksh. 92,800,

Non-Members -Ksh. 98,600

Registration: http://www.isaca.or.ke/program-registration/ Course Outline: https://2018_IT_Audit_Technical.01.pdf 35 CPE Hours

18

for further deta

5. 2019 Annual Conference - "Enabling Digital Transformation

" 10-12th April 2019 Prideinn Shanzu Mombasa

4. 2019 Pre-Conference:

Governance Risk and Compliance Training - 8-9th April 2019

Prideinn Shanzu Mombasa

Cyber Security (CSX Fundamentals) Training & Exams - 8-9th

April 2019 Prideinn Shanzu Mombasa