This is the second in our series seeking insight from network/IT security professionals across the Caribbean on cyber intrusion and security in the region.
In our inaugural cyber threats and security “Expert insights”, featuring Niel Harper from Barbados, he confirmed that online threats are far more prevalent in the Caribbean than we might have realised. Moreover, organisations rarely report intrusions, and in Barbados, there is insufficient capacity for cyber security response.
In this the second in our series, we have a Jamaican perspective. Garfield Gordon, Territory Systems Engineer for Cisco Systems Inc., based in Jamaica, has graciously responded to a series of questions posed by ICT Pulse. Garfield has over 20 years’ experience in the IT/ICT space, and his areas of expertise include: Systems Integration, Networking, Internet, Security, Wireless, Mobile, Application Development and Business Enablement.
ICT Pulse: Garfield, how prevalent do you think cyber intrusions are in Jamaica, and in the wider Caribbean? By chance, do you have access to any data?
Garfield Gordon: It is common knowledge within the IT community that there are various intrusion attempts daily. What is not stated or readily apparent is the success rate of some of these attempts. Most of these attempts can be classified by the methods being used: port scanning, “script kiddie” type applications, and orchestrated intrusion attempts that are very clinical in targeting a specific vulnerability within a system.
In Jamaica, there have been a few media reports about people being charged for cyber crimes, ABM fraud, lottery fraud, etc. with the police seizing electronic equipment used to commit the aforementioned crimes.
ICTP: Based on your experience, what are some of the common misconceptions that organisations have about network security?
GG: A number of organizations focus only on network security but fail to address the other pillars of security, being physical security and application security. A number of applications can still be compromised by using the “SQL injection” method of attack and even worse, some applications are written with the “sa” username and password within the application or website. Some intruders manage to use social engineering techniques to gain access although we (at Cisco) have been providing information on this technique for the past decade.
Additionally, most organizations only focus on the perimeter security and fail to address activities that may originate internally within the network like viruses, worms, Trojans, bots and deliberate attempts to compromise systems and retrieve data. Some IT security staff believe that a one-time review of the systems and event logs every day is sufficient. However, they need to do this more frequently and implement the necessary system(s) to correlate incidents or suspicious activities.
ICTP: Are any trends you have noticed, or have been reported, regarding threats/intrusions in Jamaica, or in the region?
GG: Based on information provided to me, I can state that there has been an increase in reconnaissance activities, Denial of Service (DDoS, DoS), and penetration attempts within our top tier business verticals, being telecommunications, finance and insurance. Each territory in the Caribbean experiences different levels of penetration attempts or intrusions based on their staple markets. Cayman and Bermuda, for example, have a perceived higher rate of attempts probably because there are more financial and insurance companies in those territories.
ICTP: Are there any hardware and/or software solutions you believe might be more effective in addressing cyber intrusions?
GG: There are a number of vendors that provide security solutions but most focus only on the network security pillar. Cisco has solutions to address all of the security pillars previously mentioned. The links to the solutions are listed below:
- Network Security www.cisco.com/go/security
- Physical Security www.cisco.com/go/physec
- Video Surveillance www.cisco.com/go/physec
- Firewalls www.cisco.com/go/firewalls
- Intrusion Prevention Systems www.cisco.com/go/ips
Network Admission Control www.cisco.com/go/nac- Bring your own device www.cisco.com/go/ise
- Web Security www.cisco.com/go/wsa
- E-mail Security www.cisco.com/go/esa
- Endpoint VPN www.cisco.com/go/anyconnect
- Application www.cisco.com/go/ace
- Network/Security Management www.cisco.com/go/prime
- Virtual Private Networks www.cisco.com/go/vpn
Cisco also has a library of validated designs for most verticals, including security. Please visit: www.cisco.com/go/cvd
ICTP: Are there any cyber security-associated resources or support structures you believe are lacking nationally in Jamaica, and/or perhaps at the regional level?
GG: We have the Cyber Crimes Act 2010 in Jamaica, but the police can only enforce it with the cooperation of the business entities or other victims that have been affected by such crimes. It boils down to a matter of reputation and in Jamaica, much like the wider Caribbean, image matters. Thus many of these activities are not reported to law enforcement.
We may need to setup an entity in Jamaica or the Caribbean, something similar to the National Institute of Standards and Technology (NIST) in the US, where entities can provide data anonymously and allow us to gain some insight into these types of activities.
ICTP: What do you believe should be the next steps in Jamaica, and/or in the wider Caribbean, to move national (and/or regional efforts) on cyber security in the right direction?
GG: We need governance and compliance processes to be implemented within organizations – similar to Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). Following that, a rule should be instituted to list the compliance status of publicly traded companies on the respective stock exchanges. This would ensure that companies take cyber security seriously and also provide a business differentiator.
Another thing to do is to conduct regular workshops to the staff sensitizing them to the benefits and nuances of cyber security. These workshops can be conducted by internal staff or vendor representatives.
ICTP: Finally, is there any one tip you could share that could reduce the risk of cyber intrusion to organisations, or even to the personal user?
GG: Whilst you had asked for one tip, I feel it necessary to highlight a few that will lead to a reduction of incidents:
- Stop reading e-mails from unknown persons where the subject implies getting something free.
- Stop reading e-mails with nonsensical subject lines or very poor grammar and spelling even when it appears to come from someone you know. Most of our friends and family members can spell.
- Stop clicking on the links in the e-mails that want you to update your profile or change your password. For example, there is a fake Bank of America website (_www.b-of-america.co.cc_) that to the untrained eye looks like the real website (www.bankofamerica.com) and its purpose is to steal your banking credentials.
- While I am not advocating their use, if you choose to use a Bit Torrent site to download files, be prepared for the consequences of having viruses or other remote control software being installed on your system.
- Stop letting your children use your corporate or business device to play games or download software from the Internet. You may inadvertently bring a virus or Trojan horse into your business environment.
- Finally, stop clicking on websites offering “free computer check up” or the popup “Your computer has a virus. Click here to remove it”. Did you instruct your computer to search for a virus? How did it suddenly know that you had a virus? Ironically, it will install the virus when you click on the link to remove the virus.
Do you have any questions for Garfield, or views you would like to share? Please do so in the Comments area below.
Looking forward to your feedback!
Image courtesy of Null Value, flickr
_____________
Very nice article, particularly your perspective on what the next steps should be in terms of governance and compliance.
Great article. It is useful to know that Jamaica has the cybercrime act. Will that act act address a computer related crime doesnt involve any network at all. Or, is there another act to address that. I know Barbados as well as Caricom has a Computer misuse act but Jamaica apparently doesnt. Not sure about the other islands, maybe someone can enlighten us on that.
I know Companies are reluctant to report these breaches (as it is worldwide) however I am sure that keeping it a secret could cause more harm than good. As alluded to in a post last week just maybe if there was a central arm to report and collate this info maybe more would be available. Also if no info/data is made available it could stifle research and development in the region (personal agenda here) such info is needed to propel developments to help address and stem these issues.
Hi Moni,
The Cyber Crime act seeks to emcompass all computer related crime whether on a network or not. The definitions given are very broad and the punishments and/or fines vary based on the type of crime, the results of the crime and the victim of the crime. There is also a provision for the Act to be reviewed two years after its commencement.
Regarding data breaches, there are no mandatory provisions, that I am aware of, to force an organization to report such breaches to the public. I know there is the Payment Card Industry (PCI) requirement for members to report or notify the PCI Security Standards Council of a breach. If it is found that the merchant, bank or financial entity did not report a breach, their credit or debit card transactions could be rejected.
Hence my comments around governance, compliance and the creation of an entity to capture, collate and disseminate the breach information.
Thanks Garfield!
I believe that while cybercrime legislation can be beneficial, it can also prove to me somewhat worthless if not executed right and in concert with a number of other integral pieces of the response to online attacks. What most often happens is that fragmentation occurs where regional trade blocs or economic cooperation partnerships do not harmonise their legislative instruments, resulting in the inability to enforce their laws when crimes are conducted in other international jurisdictions. Additionally, in the absence of CERTs and CSIRTs, cybercrimes are not even prevented, detected or corrected in a sufficiently effective manner. Local police needs to have formalized relationships with the FBI, Interpol and other agencies. Information needs to be constantly exchanged and agreements ought to be in place for extradition or local prosecution (whatever the case may be). All too often, we create cybercrime laws in a very insular fashion, and end up with a document that ‘looks and feels’ good, but has no teeth (no enforcement authority).
Thank you for the response here. I do think that jurisdiction plays an important role where cyber crimes are concerned as often the attacker and the victim are not in the same jurisdiction hence the need for formal corporation with outside agencies.
It is encouraging to see that Jamaica already has an legal framework to address cybercrime. I haven’t read the entire Act, provided on the link. I was wondering the extent to which the Act caters for cybercriminals outside Jamaica but perpetrating crimes in Jamaica ( Internet being ubiquitous ).
Do vendors such as Microsoft and others, whose software is so pervasive have a responsibility to make their systems/software less vulnerable to attack? Would a government or business be within its right to set a policy that disallows the use of certain operating systems because they are inherently more vulnerable?
Rodney,
Given the environment in which software companies operate, there is no fiduciary agreement to develop software that’s absent of bugs. Commercial software is about development cycles, speed to market and profit dynamics. In this context, secure coding practices just aren’t the primary focus points for developers. The software industry is not a regulated one, so there is no basis for government to impose such policies. However, the self-regulation mechanisms inherent in the industry can serve to reach the ends to which you refer. For one, software manufacturers can differentiate their products by adhering to certain best practices and submitting their products to 3rd party testing and validation before they reach market. Customers can also voice their disapproval by sending comments to manufacturers, and also by refusing to purchase products that have too many bugs or security weaknesses. As SaaS and cloud computing become more popular, I think we will see a paradigm shift towards more explicit trust relationships between providers and customers. There will simply be no other way to do business given the amplified risks associated with these platforms.
Thanks Niel!
Hi Rodney,
Neil gave a great response around the commercial aspects of software development, differentiation and what you can do as a consumer to show you disapproval.
A business or govenrment can set policies to disallow certain software or systems within their organization but they may have to deal with “fair competition” laws or issues. The US and Austrailian governments have disallowed Huawei equipment from being placed in their national or defense networks. Many business have chosen to standardize on Linux mainly because of licensing costs but they paid a substantial amount for training, support, integration and interoperability. The high-tech and systems integrator type companies do well at adopting many operating systems into their organizations because they use the experience as a learning platform as to what to expect with their customers.
Every system has vulnerabilities: Unix, Linux, Windows, Macintosh, Mainframes and PDA type devices. The ways they are attacked or “infiltrated” are different for each platform and range from social engineering to specific code being written to compromise a system. Microsoft listened to the market and released a product to address most of the security concerns of government, business and the public at large. This product is Microsoft Windows Vista. A name that will eventually fade away like Windows ME. Why? Because consumers rejected it stating that it was annoying and too restrictive.
Most systems have a “systems administrator” account and everyone else is created with a “user account” as this will minimize the exposure of the system to many vulnerabilities. How do we use our Windows machines? I will take the position to say with the Administrator account and not the user accounts but yet people complain that the system is vulnerable. Just remember that in the past the target systems were Unix and Mainframe based and the terms used were corporate espionage or sabotage. Windows is just the flavour of the decade. Let’s see which system is next.
Garfield