Some Of The Reasons Why Government Of Kenya Websites Could Be Getting Hacked So Often
I was a little alarmed when I read this article the other day in the Daily Nation. Basically, the Government of Kenya has decided to make the bold decision (and I do mean really bold!) to move all Government websites to local website hosting facilities due to numerous hacking incidents to-date as regularly reported by the media. In addition, this major change of policy will also require that all websites are hosted in a centralised Government facility so as to ensure that the current scenario of fragmented website hosting service providers, both local and international, is also addressed. This initiative according to the Daily Nation article is expected to solve the largely embarrassing and avoidable(?) security breaches once and for all. If only it was that simple!
Just the other day I wrote a blog post here about Angani, a local cloud services startup that is aiming to transform the perception that local website hosting services are neither world-class nor cost-effective (which is a truly ambitious effort if you ask me). The truth is existing local website hosting services including those currently used by the Government of Kenya are not nearly world-class. The resources required to achieve the kind of standards that the likes of Amazon Web Services (AWS), SiteGround and RackSpace who are global market leaders requires massive financial investment as well as cutting edge technology and truly seasoned expertise. However, this does not mean that the Government cannot achieve much better website hosting capabilities than is currently the case.
The truth of the matter is that the Government websites that have been hacked and continue to get hacked every so often are hosted both locally and internationally via a myriad of website hosting service providers. If you asked me I would say that the bigger issue at hand is not where the websites are hosted but rather that undefined Internet security policies and procedures may be ultimately to blame. This comes down to the fact that of the many hundreds of websites out there, how are these being deployed and managed to ensure that they are secure at all times? A comprehensive audit process alone would take a considerable amount of time and effort to establish the ‘as is’ state.
Therefore, probably the more practical approach (initially?) would be to establish what the common and underlying causes of these website hacking incidents are by the Government. Based on my own professional experience in this space, and having worked with clients who had websites that had been hacked in the past, these in my opinion are probably some of the common reasons why this happens most of the time, and the measures that can be taken to address them:
Incorrectly Configured Software
This is one of the most fundamental reasons why websites gets hacked. If the web server(s) hosting the site has software that has not been properly configured then its really really easy for your website to get hacked. This can be anything from the server’s operating system to the web server where there may be security holes that enable hackers to get in through a myriad of techniques (e.g. SQL injection, Cross-Site Scripting, File Permissions, Default Settings, etc). This also applies to the content management system (CMS) and its extensions or modules that are used to enhance website functionality. A CMS enables website administrators to make content updates in a user-friendly manner as well enhance its interactivity. Correct software configuration usually means it has been ‘hardened’ (in techie parlance) to protect it from hackers, which is a continuous never-ending process.
In my experience, this is probably one of the most common ways that websites get hacked in Kenya. Its really unfortunate since its one of the easiest ways for things to happen and is actually quite avoidable. What this means is that you need to run the latest and most secure versions of web server software like PHP, Apache, MySQL and Linux (i.e. the LAMP stack) as well as CMS’s like Joomla, WordPress or Drupal. The older versions of software usually have security holes that newer versions ‘patch’ and make secure. Therefore, its a no-brainer to make sure that web server software is up to date across the board as a deterrent to security breaches.
Over the years working with website clients, weak passwords are quite often a major culprit to hacking incidents. I recall an incident where a major local bank had their website hacked because their CMS username and password was the default ‘admin’ and ‘password’ combination that really anyone can guess! You would be surprised how often this sort of thing happens using ‘brute force’ attacks whereby hackers use hacking software to ‘guess’ commonly used passwords in rapid succession till they get through. I’d wager that as many as 50% of the Kenya Government websites that have been hacked over the years were due to weak passwords.
Viruses, Malware and Trojans
Any or all of the combination of viruses, malware and trojans can be the culprits of hacking attacks. This is because if your website has been compromised or the computers you use to manage your website and infected then they can effectively ‘steal’ your login details and pass them on to hacker to do with as they please. This means therefore your anti-virus and Internet security software needs to be up to-date at all times and ideally use a combination of various softwares just in case one misses it. It also means that an infected computer used by a website administrator would also infect website files as they are uploaded and therefore also infect website visitors computers and devices as well.
Security Scans, Penetration Tests, Vulnerability Assessments, Backups and Web Application Firewalls (WAFS)
Assuming that all of the previously mentioned reasons for hacking are in place and a website still gets hacked, some of additional reasons come into to focus. Hacking has become so common place that even the largest organisations in the world are also falling victim to hackers so to be really fair the Government of Kenya should not be too hard on themselves. However, the good news is that there are many proactive measures they can take. These include having automated security scans that check for vulnerabilities before they become a risk. It also means hiring security experts and external firms to carry out regular penetration tests and vulnerability on the websites in question. There are also cloud-based service providers such as Cloudflare and VaultPress who offer automated back-ups and web application firewalls or ‘WAFs’ for short that block attacks before they can even get started.