\u2026 was not widespread and that our servers have not been compromised.\u00a0 Our firewalls are robust and are configured to international standards. In fact, to guard against these types of attacks we have increased our defences both locally and internationally… (Source: LIME<\/a>)<\/p><\/blockquote>\n
![\"http:\/\/www.freedigitalphotos.net\/images\/view_photog.php?photogid=2898\"](\"https:\/\/i0.wp.com\/www.ict-pulse.com\/wp-content\/uploads\/2012\/03\/Computer-Hacker-chanpipat-300x237.jpg?resize=242%2C192\" "\\"Computer")
<\/p>\nHowever, appreciating the considerable resources to which a company like LIME has access, and the concerns regularly being expressed that the Caribbean has become a haven for cyber criminals (see Where is Internet Governance going in the region?<\/a><\/em><\/strong>), we in the region might not fully understand the extent to which we are highly susceptible to a broad range of cyber threats and intrusions. Hence ICT Pulse will be asking IT\/network security professional across the region their views on this critical issue.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/www.ict-pulse.com\/wp-content\/uploads\/2012\/03\/Niel-Harper-238x300.jpg?resize=177%2C222\" "\\"Niel")
Niel Harper:\u00a0 Precise figures are hard to provide due to the fact that many companies in Barbados and the wider Caribbean do not report breaches.\u00a0 This can be due to numerous reasons, ranging from the reputation (regulatory consequences and service outages) and financial (share prices hits or revenue decreases) risks associated with the compromise of private information, to the fact that there are no pervasive legislative frameworks which mandate that firms report breaches to government or to their customers.<\/p>\n
However, I would say that approximately 60% of organizations in the region have had at least one security incident over the last 1\u20132 years. This is mainly due to the growth in online data, as well as the increasing sophistication and organization of attackers. Other key factors are poor security practices, insufficient training and support, and the continuing use of unpatched or out-dated software. Comparatively, the statistics for personal users may be even higher given the significantly weaker or non-existent security controls present in many home computing environments.<\/p>\n
ICTP: \u00a0Based on your experience, what are some of the common misconceptions that organisations have about network security?<\/strong><\/p>\n
NH:\u00a0 The most common misconception about network security is that technology alone can provide adequate, effective and sustainable protection for information assets. An effective network security program encompasses people, process and technology. In the context of staffing (people), it is all about how you rationalize your IT security skill requirements to effectively address evolving security threats. This rationalization should allow for the creation of a baseline which characterizes, at a bare minimum, the core competences that IT security practitioners should possess to perform specific roles and responsibilities. These roles should be created, properly staffed and subject to on-going training.<\/p>\n
Aside from security practitioners, end-users should be exposed to education programs which foster awareness of the importance of security, as well as promote constant vigilance to prevent online fraud. From the process standpoint, there should be policies, procedures and guidelines in place which serve to govern the use of information and communication technologies. These processes should be explicit (non-ambiguous), consistent and enforceable. And finally, the technology that exists to prevent, detect and to some degree, correct security attacks is becoming more and more advanced. However, without a focus on people and process to compliment the technology, a firm\u2019s network security posture can be tantamount to having a gate with no sentry.<\/p>\n
ICTP:\u00a0 Are there any hardware and\/or software solutions that you believe might be more effective in addressing cyber intrusions?<\/strong><\/p>\n
NH:\u00a0 I tend not be an advocate of any particular vendor solution or software product, especially given the rampant commoditization in the industry. However, what I will zero in on is the importance of \u2018defence-in-depth\u2019<\/em>. This is in essence the layering of security technologies to provide a more comprehensive array of controls to better protect an organization\u2019s information assets.<\/p>\n
![\"http:\/\/www.freedigitalphotos.net\/images\/view_photog.php?photogid=1152\"](\"https:\/\/i0.wp.com\/www.ict-pulse.com\/wp-content\/uploads\/2012\/03\/Firewall-Protection-jscreationzs1.jpg\" "\\"Firewall")
<\/a>Here is a quick example: The perimeter of a company can be protected by firewalls, which are bolstered with network intrusion detection \/ prevention systems. Internet facing assets such as web servers can be located in a DMZ (demilitarized zone) to prevent access to the internal network if these nodes are compromised. High risk assets (general ledger systems, core banking systems, payroll systems, etc.) can be segmented further by placing them behind internal firewalls with very tight rules which only allow access by a limited number of other services or users.\u00a0Network access control (NAC) or port-based authentication can be instituted to force any device that plugs into the network infrastructure to be authenticated. And other controls can added such as anti-spyware, anti-virus, host-based firewalls, host-based intrusion detection systems and so on, to provide \u2018layers\u2019 of protection which make it more difficult for attackers to access confidential information.<\/p>\n
Images:\u00a0chanpipat<\/a>;\u00a0jscreationzs<\/a> \/ FreeDigitalPhotos.net<\/em><\/p>\n
_____________<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"