Aaron Manzano, of HMP Consulting in Trinidad and Tobago, and a IT/network security expert, continues our Q&A series on cyber security in the region.
The only truly secure system is one that the development process is controlled from the beginning, located in at a site with a harden bunker deep underground, with no communications links to the outside and all informed and aware of its existence are terminated to prevent leaks as the site is nuked.
The above quote is a paraphrase of our guest expert’s recollection of views expressed in the “Orange Book” – the US Department of Defense Trusted Computer System Evaluation Criteria – and is precisely the reason why network security is so critical. Our networks exist in an imperfect world, where we cannot control all the factors the quote suggest are necessary to create a truly secure system.
In this the third in our expert series, we discuss cyber security in Trinidad and Tobago with Aaron Manzano, an IT/network security professional with over 30 years’ experience in the field. Aaron’s specialties include IT Operations and Management, Network Design and Implementation, Information and Network Security, and Systems Development and General Management, and over the last seven years, he has been the Director of HMP Consulting, and is based in Trinidad and Tobago.
ICT Pulse: Hi Aaron, how prevalent do you think cyber intrusions are in Trinidad and Tobago, and in the wider Caribbean? By chance, do you access to data?
Aaron Manzano: The level of cyber intrusion in Trinidad and Tobago is unknown as organizations aren’t required to submit any incident reports or even acknowledge its existence. In particular, this is a touchy subject for Media Houses, Financial Institutions and Governments who guarded about releasing such data.
Based on our investigations, many networks in Trinidad and Tobago are attacked regularly. As indicated, the level of intrusion success is unknown; however we continue to observe constant intrusion attempts, with China, Hong Kong and Russia topping the list.
It my belief this is situation is not only prevalent Trinidad and Tobago but is also the case in the wider the Caribbean.
ICTP: Based on your experience, what are some of the common misconceptions that organisations have about network security?
AM: These are many, so I will just reference a few:
- “Having a Firewall and Antivirus is enough.” Unfortunately, that is the starting point.
- Management total lack of understanding/appreciation of the issues at hand.
- People’s idea that: “Patching Microsoft Windows will break my app”. Not patching my O/S and Applications (Microsoft Windows, Linux or whatever you use) is the same as leaving the keys in the door. Someone eventually can or will walk in and make themselves at home and you won’t know until it’s too late.
- Configuration Management: Not having an inventory of your Hardware and Software Resources and establishing Access Controls based on Ownership, Responsibility and Functions; which is like your friend parking the car in your yard, the car he borrowed, the same car that was rented yesterday to his cousin.
- Depending in vendors and products to keep you safe. Information security is a discipline and a practice based on a constant effort to stay informed and having a process that addresses risks against business needs. This emphasis is lacking even within organizations that should know better.
- Leaving systems with defaults or obvious settings, controls or passwords on the assumption that we will get to it later.
- Not evaluating your service providers.
- Limited employee education regarding policies (if they exist), security compliancy and what to do if they are victims.
ICTP: In your capacity as an Internet Security Strategist, what are three key questions businesses should ask themselves when assessing the secureness of their networks?
AM: 1. What do I need to protect?
2. Whom am I protecting it from?
3. What would be the business impact should there be a breach whether it occurs internally or externally?
ICTP: Are any trends you have observed, or have been reported, regarding threats/intrusions in Trinidad and Tobago, or in the region?
AM: I think the biggest trend we are observing is the presence of Command and Control BOT, Attempted Domain Hijacks and Fake Antivirus. Other than that, constant port scans. The organization with the smallest footprint fares best, but are not immune.
The trend that is worrying is the uncontrolled deployment of mobile devices. Most organizations are allowing staff to bring and use their personal devices without a clear policy of use and responsibility of data.
ICTP: What resources and/or support structures currently exist in Trinidad and Tobago (e.g. legislation, special interest groups, agencies, etc.) to address cyber security?
AM: It is difficult to answer this question fairly as there are initiatives to promote safe, responsible and legal use of Information Technology in Trinidad and Tobago. Moreover, it is like a preacher preaching to the converted. Many are hearing but hardly any are listening. Special Interest Groups that exist tend to be full of techies most not focused on the business issues. We need more Executive Management involvement and the willingness of those executives to share.
On the legal side, our Parliament has drafts that keep going back for review, which is delaying any legal leverage for business accountability.
ICTP: Finally, what do you believe should be the next steps in Trinidad and Tobago, and/or in the wider Caribbean, to move national (and/or regional efforts) on cyber security in the right direction?
AM: I have always believed that the Central Banks of the region should get together to drive these initiatives. They are best placed to advise governments and businesses. Also, they are well connected with similar agencies outside of the region where they already share information and best practices. Things I would like to see the Central Banks do are as follows:
- Establish and manage a Root CA for CARICOM. This can be hosted in Jamaica or Barbados as they are better prepared for natural disasters.
- Establish Education and Compliance Guidelines for Cyber Security and monitor it.
- Establish a committee (I don’t like committees) of business and government stakeholders to share knowledge and strategy.
Do you have any questions for Aaron, or views you would like to share? Please do so in the Comments area below.
Looking forward to your feedback!
Image: Victor Habbick / FreeDigitalPhotos.net
____________
Hi ya,
Interesting post. I’ve got some issues with this cyber crime/Information Security phenomenon. You mentioned ” Special Interest Groups that exist tend to be full of techies most not focused on the business issues. We need more Executive Management involvement and the willingness of those executives to share. ” I think it needs to be emphasised that the broad field of IT security draws on several different expertise and affects everyone,literally, and thus its development is not only dependent on anyone group (techies, business people, law enforcement or lawyers). Cyber crimes arent going anywhere soon and countries need to pool their resources(individually or joint) to tackle the problem.
The point is highlighted several times over that organisations are unwilling to report breaches but are there facilities in place to report such. If I run a small business from home and realise/suspect that my site (or small server) has been hacked where do I go, what do I do, who do I call? Who will investigate these crimes? Are there guidelines in place for investigating such crimes? These are some of the issues faced with crimes of this nature. Cyber bulling is also considered a cyber crime. If I find my child is being bullied via their cellphone what do I do? Who do I call? Are officers trained and equipped to deal with such complaints. Are they aware?
You raised the point of employees and mobile devices. Now that’s a whole different matter that I wont start ranting about today.
I must say I dont like committees either but this situation warrants some type of group to set up to tackle the problem (as you alluded to).
Ok Thank you ICT Pulse, I will stop now.
Moni
Hi Moni,
Thanks for your passionate comments: they’re really appreciated!
I will give Aaron and others the opportunity to jump in first and offer their thoughts on what you have said, and then I may add my two cents…
Cheers,
Michele
You are very right with your opening paragraph. We do need all these disciplines to get involved. However, who drives it and who benefits. The Business Owners, Executives and the Stakeholders are ones who needs to accept and recognize the need. Most organizations are concern about their bottom line and some their public image. In some ways it is akin to money laundering, government need to drive it but most time it will be driven by econmics risk.
I stated that there are no mechanism to report breaches (or suspected incidents). The reality is that we are at ground zero and have a long way to go up. In T&T, the Data Protection and Computer Misuse Bills are still being reviewed and each review so far is a result not adqueately addressing current issues. By the time it returns for debate the enironment would have evolved again. At some point we must stop talking and start doing. Maybe in this forum we can create a mechanism to facilitate a CERT.
Thanks Aaron!
Despite the fact that a layperson may not even realise that they have been a victim of cybercrime, we are all stakeholders in this. I dislike the idea of such a venture being driven by the security forces it may be a good starting point as they are the ones who will eventually have to address the crime. (a crime is a crime wherever it is committed). I am thinking that some stakeholders may be taking this for granted. You mentioned the case of T&Ts Bills, these Acts/Bills can be created to accommodate the dynamic nature of technology as is done in other countries/regions. I will make reference to an article published two Sundays ago in the Jamaica Gleaner that was right on target with the description of the regions perception of cyber crime.
I especially like your last two sentences.
Hi Moni,
I wholeheartedly agree with you that we are all stakeholders in cyber security and so should participate in the efforts towards solutions. However, one of the challenges which I think we have is that to varying degrees, people, particularly policy makers, do not realise the extent to which we are vulnerable…
In the Jamaica Gleaner article that you mentioned, concern is indeed expressed that although the Caribbean has been focussing on increasing Internet availability and affordability, we have not been prepared to address cyber security in equal measure, if only to protect our interest – since we are becoming increasing reliant on the Internet in order for our countries function…
A lot of what going on in Information Technology is similar to Financial Management back in 20’s/30’s when the focus was on earnings and not protection. Risks were taken not knowing that a risk exist and solutions were provided based on a perceived need as opposed to the real need.
As I said in the interview, the preacher is preaching to the converted. The challenge now is to remove the blinker from the stakeholders, get legislators to work on the looming problem as oppose to achieving some international compliance and people to take responsibility for their property.
The day the average person sees a Login Password on equal footing as the Debit Card Pin is the day consequences of IT Security will be self-implied and not externally enforced. This in itself is not the solution but the change in perception.