We continue our conversation with network/IT security professionals – part two of our second instalment – on network intrusion and security in the Caribbean, in the hope of gaining new insights for 2016.
In our previous post, published on Wednesday, 11 May, we shared the first part of our discussion with Hector Diaz of Intel Security (formally McAfee). To recap, Hector is the Regional Account Manager, Caribbean. In addition to his extensive experience in IT security in the region, Hector can draw on the knowledge bank of Intel Security, to provide some unique insights on cyber intrusions and threats across the Caribbean, and advice on how best to manage such situations.
ICT Pulse: Are you observing any real evidence of a greater willingness among organisations to take cyber/network security more seriously? How is that awareness (or lack thereof) being manifested?
Hector Diaz: There is definitely a greater willingness to take cybersecurity seriously. For example, we have participated in meetings with the CIO of Jamaica, Dominican Republic and Trinidad, we have seen how Cybersecurity occupies an important amount of government’s investment on ICT not only from a technology perspective but from a training perspective for Security administrators as well as security awareness training for the general population that work on ministries and public institutions. But this is a process and it takes time, but definitely we’re getting better as a region at a public/state level.
On the private sector, professionals are more prone to exchange ideas with their peers as opposed to 5 years ago where no one would share their best practices or their experiences on how to tackle Cybersecurity challenges. One example of that is the proliferation of associations of professionals in the area such as ISACA, ISSA and ISC² chapters in the region where we have been able to participate and collaborate in places like Dominican Republic, Puerto Rico, Barbados, Jamaica, Trinidad and Curacao where cybersecurity professionals are organized around these chapters and they periodically meet to exchange ideas and best practices in an open forum.
We also have seen initiatives in the financial sector to exchange threat intelligence across commercial/private banks so as community they can be on top of emerging threats for the benefit of their own organisations as well as the public that receive their services.
ICTP: Have you observed any changes in end-user behaviour? Do you think IT staff have done enough sensitisation to bring about behavioural change in their users?
HD: In terms of user behaviour, I think “enough” is not an applicable word, it has to be a constant/permanent process. Depending on the maturity level of some organisations, we have seen multiple, structured programs to raise the awareness on how to protect the information, how stay safe while utilizing connected services and also the introduction of social engineering surveys to test user’s behaviour but this is only on highly regulated institutions, primarily the banking sector. But I’m optimistic that these practices are going to be soon applicable to the generality of companies, institutions and the connected population.
ICTP: As you are aware, there has been considerable concern and discussion about ransomware. If there is one thing people should know about this threat, what would that be? Can organisations recover their network data that has been corrupted by ransomware? What would be your best advice to minimise the effect of ransomware?
HD: The rise of ransomware has been phenomenal, fleecing hundreds of millions of dollars from consumers, businesses, and even government agencies. This financial windfall for cybercriminals will fuel continued innovation, creativity, and persistence to victimize as many people as possible. The threat has found a soft spot, taking advantage of human frailties while targeting something of meaningful value to the victim, then offering remediation at an acceptable price point. This form of extortion is maturing quickly, exhibiting a high level of professional management, coding, and services. Ransomware is proving very scalable and difficult to undermine.
Unfortunately, there are hundreds (if not, thousands) of variants and as I mentioned at the beginning of this interview, Opensource ransomware code and ransomware-as-a-service make it simpler and accessible to virtually anyone, the ability to create successful attacks and new variants. The security industry has been able to decrypt a few of these variants, but the rapid evolution and adaption of these threats makes the chance to recover the information very very small.
As an example, you can find some information about how to unlock a very specific version of ransomware here: https://www.grahamcluley.com/2016/04/petya-ransomware-unlock-tool/
But this is just one variant which doesn’t really help compared to the universe of cases and affected individuals/organisations.
The best advice I can give to your audience, it is to take a three-step approach to ransomware:
- User education and awareness: we have to engage with human resources departments to spread information and education throughout organisations around how to avoid ransomware not only to employees but also customers from those organisations.
- Backup: when we talk about backing up information, this can be achieved through a general company policy that stores copies of user’s information on a central repository and/or through the first step of user education we have teach our users some simple actions they can follow to minimize the damage in the eventual affection of a ransomware:
- Use external drives for important files: criminals might be able to hack into your computer, but they can’t get to an external device if it isn’t connected to your PC or a network.
- Use cloud storage as a second layer of backup: with the wide adoption of SSL and the numerous encryption tools that the security industry provides, it has become very easy and transparent to encrypt user’s data and securely move it to the cloud.
- The implementation of a Threat Intelligence Model across the organization: Companies need to start evaluating these type of technologies that can augment the effectiveness of their current security layers through the exchange of threat data that can protect not one but all their security devices and assets.
Increasing support for cyberthreat-intelligence technical standards will help people understand exactly what is and is not included in a threat record and will broaden industry implementations. Although some organizations believe they stand a better chance of identifying and catching bad guys by themselves if they keep the attack details private, more and more realize that the changing nature of attacks makes sharing more valuable than secrecy. Standardization will also make it easier to combine and correlate multiple discrete observations into a larger and more accurate picture of a particular threat.
Catching modern, adaptive attacks is difficult for traditional endpoint and firewall defenses working in isolation because the attacks often mutate every few hours or days, faster than signature updates and scanning tools can keep up. The trend toward targeted attacks is also increasing interest in industry-specific cyberthreat intelligence.
At Intel Security, we are helping our customers in the evolution and implementation towards these type of frameworks through our Data Exchange Layer and Threat Intelligence Exchange. Both components integrate with 3rd parties to incorporate multiple sources of threat data to stay on top of advanced threats in almost real time.
ICTP: Finally, are there any key areas businesses should be investing their network security/IT dollars this year?
HD: As a cybersecurity strategist, I personally think that we should evaluate on the future risks and opportunities. There are a number of topics, technologies and business areas where I think we all must learn, discuss, and deliberate about now, so that we can be prepared for the near future:
- Governance, Risk and Compliance – enhance the maturity level of organisations
- User Security awareness and training – incorporate a defined approach to this, integrated with all the business areas across the company not only ICT.
- Threat Intelligence – implement and take advantage of this type of frameworks, sharing is more valuable than secrecy
- Incident Response – Facilitated triage and response is key to prioritize and provide speedy investigation and remediation in a closed loop that can cover the whole organisation.
- Intelligent Security Operations – the adoption of a holistic approach to analytics, big data and how to create actionable intelligence through the collection of all this data is key.
- Virtualization and Cloud Security – with the evolution of the datacenter, we MUST adapt our security strategy to this new reality to be more agile and effective, we need to evaluate solutions created and designed for this new environment instead of trying to protect it with solutions for the physical/traditional world.
- Cybersecurity training for administrators – Companies need to invest on training that not only relates to software/solutions implementation, but also general security knowledge such as penetration testing, forensic analysis, secure code development and certifications around security management so security admins can be prepared to tackle challenges but also provide value to the business out of cybersecurity.
We also recommend businesses to stay on top of all the trends on the threatscape, for that matter, we have issued several articles and studies with predictions for the next five years, that you can find at http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
Image credits: Perspecsys Photos; H Diaz, Twitter;
______________
This is a very well covered session, in both parts of cyber-security. Thanks to both interviewers and the interviewee for the depth and breadth of coverage.
The recommendation of cloud back up cannot be over-emphasised. The easy of availability of one’s backed up data is probably the biggest win for it.
The one thing I still feel requires a bit more mention is the efficacy ( or lack thereof ) of free anti-virus software such as Microsoft Security Essentials that are so freely available nowadays. There is an inclination to think there is safety in them, at least at the minimum end of the security spectrum.