This is the first in our series seeking insight from network/IT security professionals across the region on cyber intrusion and security in the Caribbean.
About two weeks ago, LIME customers in Barbados experienced some degradation of their broadband service. The cause: “a deliberate attack on the internet infrastructure by an external source”, LIME revealed in a press release issued after systems were well in the process of being restored. As expected, LIME sought reassure customers that the distributed denial-of-service (DDoS) attack of their systems…
… was not widespread and that our servers have not been compromised. Our firewalls are robust and are configured to international standards. In fact, to guard against these types of attacks we have increased our defences both locally and internationally… (Source: LIME)
However, appreciating the considerable resources to which a company like LIME has access, and the concerns regularly being expressed that the Caribbean has become a haven for cyber criminals (see Where is Internet Governance going in the region?), we in the region might not fully understand the extent to which we are highly susceptible to a broad range of cyber threats and intrusions. Hence ICT Pulse will be asking IT/network security professional across the region their views on this critical issue.
To kick off this series, we posed a few questions to Niel Harper. Niel, who is based in Barbados, has over 16 years’ experience in Telecommunications Engineering, Information Security Management, Business Continuity Management, Enterprise Risk Management, and ICT Regulation and Policy. He was worked for organizations such as Cable & Wireless, AT&T, Cingular Wireless and CIBC First Caribbean in the region.
Should you have questions you would like to pose to Niel, or views you would like to share, please do so in the Comments area below.
ICT Pulse: How prevalent do you think cyber intrusions are in Barbados, and in the wider Caribbean?
Niel Harper: Precise figures are hard to provide due to the fact that many companies in Barbados and the wider Caribbean do not report breaches. This can be due to numerous reasons, ranging from the reputation (regulatory consequences and service outages) and financial (share prices hits or revenue decreases) risks associated with the compromise of private information, to the fact that there are no pervasive legislative frameworks which mandate that firms report breaches to government or to their customers.
However, I would say that approximately 60% of organizations in the region have had at least one security incident over the last 1–2 years. This is mainly due to the growth in online data, as well as the increasing sophistication and organization of attackers. Other key factors are poor security practices, insufficient training and support, and the continuing use of unpatched or out-dated software. Comparatively, the statistics for personal users may be even higher given the significantly weaker or non-existent security controls present in many home computing environments.
ICTP: Based on your experience, what are some of the common misconceptions that organisations have about network security?
NH: The most common misconception about network security is that technology alone can provide adequate, effective and sustainable protection for information assets. An effective network security program encompasses people, process and technology. In the context of staffing (people), it is all about how you rationalize your IT security skill requirements to effectively address evolving security threats. This rationalization should allow for the creation of a baseline which characterizes, at a bare minimum, the core competences that IT security practitioners should possess to perform specific roles and responsibilities. These roles should be created, properly staffed and subject to on-going training.
Aside from security practitioners, end-users should be exposed to education programs which foster awareness of the importance of security, as well as promote constant vigilance to prevent online fraud. From the process standpoint, there should be policies, procedures and guidelines in place which serve to govern the use of information and communication technologies. These processes should be explicit (non-ambiguous), consistent and enforceable. And finally, the technology that exists to prevent, detect and to some degree, correct security attacks is becoming more and more advanced. However, without a focus on people and process to compliment the technology, a firm’s network security posture can be tantamount to having a gate with no sentry.
ICTP: Are there any hardware and/or software solutions that you believe might be more effective in addressing cyber intrusions?
NH: I tend not be an advocate of any particular vendor solution or software product, especially given the rampant commoditization in the industry. However, what I will zero in on is the importance of ‘defence-in-depth’. This is in essence the layering of security technologies to provide a more comprehensive array of controls to better protect an organization’s information assets.
Here is a quick example: The perimeter of a company can be protected by firewalls, which are bolstered with network intrusion detection / prevention systems. Internet facing assets such as web servers can be located in a DMZ (demilitarized zone) to prevent access to the internal network if these nodes are compromised. High risk assets (general ledger systems, core banking systems, payroll systems, etc.) can be segmented further by placing them behind internal firewalls with very tight rules which only allow access by a limited number of other services or users. Network access control (NAC) or port-based authentication can be instituted to force any device that plugs into the network infrastructure to be authenticated. And other controls can added such as anti-spyware, anti-virus, host-based firewalls, host-based intrusion detection systems and so on, to provide ‘layers’ of protection which make it more difficult for attackers to access confidential information.
However, the degree of layers put in place is highly dependent on the value of the information assets to be protected and the capital funding available to purchase these software / hardware solutions. One principal tenet to bear in mind is that a control should never cost more than the information asset that it is protecting.
ICTP: Are there any cyber security-associated resources or support structures you believe are lacking nationally, in Barbados, and/or perhaps at the regional level?
NH: On the national levels (Barbados included), there is insufficient capacity for cyber security response. When I say insufficient capacity, I am referring primarily at a high-level to the absence of a distinctive authority or institution responsible for cyber security. This means an organization with clear mandates, appropriate funding, trained personnel and the capabilities to address and respond to national security incidents.
What are also needed are public-private partnerships to facilitate resource sharing and support structures between governments (who have limited funding and inadequate structures) and the private sector (whose capabilities are usually in a more evolved or mature state). And finally, I would also say that technical assistance or international cooperation partnerships are lacking as well. These represent the ways and means for governments to benefit from the funding, training and other means of support available from the international community.
ICTP: To wrap up, is there any one tip you could share that could reduce the risk of cyber intrusion to organisations, or even to the personal user?
NH: I would recommend that organisations, as well as casual users, take steps to classify the information which they store on their computer systems. Information classification is the basis for developing any security regime. It is basically the categorization (e.g. Top Secret, Confidential, Internal, and Public) of the various forms of information which are kept. Each category of data should have an owner; the owner should then determine who is allowed to access the data and what level of protection should be implemented to protect the data set.
Images: chanpipat; jscreationzs / FreeDigitalPhotos.net
_____________
Thanks you very much for this insight. I will need to contact you about citing this in a paper I am writing re cyber security in the Caribbean. I don’t think many people realise that Caribbean Nations are also vulnerable to cyber criminal activity.
Sure, whenever you are ready…
Hi Ya,
Is there a collaborative effort between countries in addressing this issue? I know individual countries are putting different laws and measures in place but is there any joint effort or has CARICOM sought to do anything other than the act/s developed?
I agree with the misconception you cited however I also think there is a feeling of “Oh, it won’t/can’y happen to me”.
Again
Thank you
I think from a regional perspective, the short answer is no. My understanding is that we are still at the awareness building stage – trying to sensitize policy makers, having workshops, etc – so I am not sure the political will is there (as yet) to decisively address cyber crime and cyber security at the national and regional levels…
One of my greater concerns is that so much of the legislative responses to cybercrime are being undertaken in silos. I think that CARICOM should seeks to develop ‘acceptable behaviors or norms’ for Internet activity. These norms should be aligned with an internationally and more widely acceptable set of ‘acceptable norms’. And any individuals or persons acting outside of these norms should be subject to harmonized legal response. So in essence, all the countries in the region should be working on national and regional legislation that looks, sound and feels the same way. This would solve any issues with cross-border fragmentation, which could result in safe havens for cyber-criminals (e.g. someone in St. Kitts compromises a web server in Barbados, but while the act is a felony in Barbados with a penalty of 5-10 years, the laws in St. Kitts are ambiguous or non-existent).
Interesting, as always. Good read. You raised the question of the prevalence of cyber intrusions in the wider Caribbean. Just a few days ago, I came across an unverified report of hackers breaking into our Ministry of Finance (Trinidad and Tobago) but there was no subsequent mention of any sensitive data being leaked. http://www.cyberwarnews.info/2012/03/04/republic-of-trinidad-and-tobago-ministry-of-finance-hacked-and-data-leaked/
Local media picked it up but dropped it pretty quickly, probably because mainstream media lack expertise in this particular field.
What’s your recommendation for Caribbean tech journalists who may be trying to independently verify similar online reports of hacking?
Hi Gerald,
Difficult question..
In the absence of CERTs (Computer Emergency Response Teams) either locally or regionally, I think there might be some difficulty in trying to independently verify reports of hacking. (For some insight into CERTs see – https://www.ict-pulse.com/?p=2456).
My (limited) observation has been that the hackers typically are the ones who reveal (first) that they have breached a particular network, and sometimes publish some or all of the data that was captured – which is similar to what obtained in the Cyber War News report. Other news/reporting agencies and blogs may pick up the story, but often the sources are usually the same, and the language tends to be somewhat guarded – using words like “allegedly”, “reportedly”, etc.
Moreover, it is usually with great reluctance that an organization will admit that it has suffered an intrusion. Sometimes, that admission is made only because the hackers publicly announced the breach, which in turn forced the company to look for it, and report back their findings.
This is my two cents… Hopefully someone else will offer further insight…
This is a good assessment Michele and your answer is accurate. To have your network hacked leads to some level of embarrassment and as Neil pointed out there may be financial implications and the organisation’s reputation can also take a hit. Therefore, only when there is disruption to the extent that customers are adversely affected then organisations are prompted to make these public announcements. In many countries, however, hacking is a criminal offence punishable by law. A network intrusion, once detected, should therefore lead to criminal investigations which are more public. The point here is that this will serve to further verify that a hacking incident did take place and outline specifically what was stolen or unlawfully accessed in very precise terms.
This is great! Crime is traditionally not always easy to unveil, ie in the ordinary worldly space. What more in cyber space! Discussions like this provide a bit more light on this complex and serious issue.
Thanks Kamutula!
This is a very important and interesting discussion. I believe that many of our leaders are still not fully appreciative of the dire consequences cybercrime can have on our national security and our social and economic well being as small island nations. I am aware that a few of the OECS and CARICOM member states are taking advantage of the HIPCAR Project, (Enhancing Competitiveness in the Caribbean through the Harminization of ICT Policies, Legislation and Regulatory Procedures) by drafting and enacting legislation to deal with Cybercrime. However, without the necessary infrastructure, human and financial resources, and both regional and international cooperation in this area, the legislation will be useless.
A forum like this will play an important role in sensitizing persons about such consequences but perhaps the powers that be can do with a little push in the right direction by the presentation of a paper or organized discussion on the effects/consequences of cybercrime on developing countries or small caribbean states or some such thing. Congratulations to ICT Pulse and its innovators this is a much needed resource and thanks to Mr. Neil Harper for sharing his knowledge and experience.
Independent audits are also very critical. Many organisations, particularly public sector organisations have different standards by which they measure the technical competence of their staff. We trust the Accountant but still there is a legal requirement to have the books independently audited. In the same way there should be independent security audits. A network administrator may seek to cover up intrusions for fear that it reflects poorly on their own capabilities. This can be easily done where there is no network disruption only the “quiet” theft of data. Organisations can employ the services of “ethical” hackers who look for weak security policies and systems on their behalf. It is better for the organisation to find these vulnerabilities on their own than for “unethical” hackers to do so. Too often however, we take the approach that we have a firewall, we have anti-virus and content-filtering systems, and we are good to go. Hacking tools are freely available on-line. It has literally become child’s play and organisations have to stay ahead of the curve and take the issue seriously by removing it out of the realm of technical staff wholly and solely and by taking a more holistic approach that involves top management (often the ones with the highest security clearance) and end users (often the ones who fall victim to social engineering).