Aaron Manzano, of HMP Consulting in Trinidad and Tobago, and a IT/network security expert, continues our Q&A series on cyber security in the region.
The only truly secure system is one that the development process is controlled from the beginning, located in at a site with a harden bunker deep underground, with no communications links to the outside and all informed and aware of its existence are terminated to prevent leaks as the site is nuked.
The above quote is a paraphrase of our guest expert’s recollection of views expressed in the “Orange Book” – the US Department of Defense Trusted Computer System Evaluation Criteria – and is precisely the reason why network security is so critical. Our networks exist in an imperfect world, where we cannot control all the factors the quote suggest are necessary to create a truly secure system.
In this the third in our expert series, we discuss cyber security in Trinidad and Tobago with Aaron Manzano, an IT/network security professional with over 30 years’ experience in the field. Aaron’s specialties include IT Operations and Management, Network Design and Implementation, Information and Network Security, and Systems Development and General Management, and over the last seven years, he has been the Director of HMP Consulting, and is based in Trinidad and Tobago.
ICT Pulse: Hi Aaron, how prevalent do you think cyber intrusions are in Trinidad and Tobago, and in the wider Caribbean? By chance, do you access to data?
Aaron Manzano: The level of cyber intrusion in Trinidad and Tobago is unknown as organizations aren’t required to submit any incident reports or even acknowledge its existence. In particular, this is a touchy subject for Media Houses, Financial Institutions and Governments who guarded about releasing such data.
Based on our investigations, many networks in Trinidad and Tobago are attacked regularly. As indicated, the level of intrusion success is unknown; however we continue to observe constant intrusion attempts, with China, Hong Kong and Russia topping the list.
It my belief this is situation is not only prevalent Trinidad and Tobago but is also the case in the wider the Caribbean.
ICTP: Based on your experience, what are some of the common misconceptions that organisations have about network security?
AM: These are many, so I will just reference a few:
- “Having a Firewall and Antivirus is enough.” Unfortunately, that is the starting point.
- Management total lack of understanding/appreciation of the issues at hand.
- People’s idea that: “Patching Microsoft Windows will break my app”. Not patching my O/S and Applications (Microsoft Windows, Linux or whatever you use) is the same as leaving the keys in the door. Someone eventually can or will walk in and make themselves at home and you won’t know until it’s too late.
- Configuration Management: Not having an inventory of your Hardware and Software Resources and establishing Access Controls based on Ownership, Responsibility and Functions; which is like your friend parking the car in your yard, the car he borrowed, the same car that was rented yesterday to his cousin.
- Depending in vendors and products to keep you safe. Information security is a discipline and a practice based on a constant effort to stay informed and having a process that addresses risks against business needs. This emphasis is lacking even within organizations that should know better.
- Leaving systems with defaults or obvious settings, controls or passwords on the assumption that we will get to it later.
- Not evaluating your service providers.
- Limited employee education regarding policies (if they exist), security compliancy and what to do if they are victims.
ICTP: In your capacity as an Internet Security Strategist, what are three key questions businesses should ask themselves when assessing the secureness of their networks?
AM: 1. What do I need to protect?
2. Whom am I protecting it from?
3. What would be the business impact should there be a breach whether it occurs internally or externally?
ICTP: Are any trends you have observed, or have been reported, regarding threats/intrusions in Trinidad and Tobago, or in the region?
AM: I think the biggest trend we are observing is the presence of Command and Control BOT, Attempted Domain Hijacks and Fake Antivirus. Other than that, constant port scans. The organization with the smallest footprint fares best, but are not immune.
The trend that is worrying is the uncontrolled deployment of mobile devices. Most organizations are allowing staff to bring and use their personal devices without a clear policy of use and responsibility of data.
ICTP: What resources and/or support structures currently exist in Trinidad and Tobago (e.g. legislation, special interest groups, agencies, etc.) to address cyber security?
AM: It is difficult to answer this question fairly as there are initiatives to promote safe, responsible and legal use of Information Technology in Trinidad and Tobago. Moreover, it is like a preacher preaching to the converted. Many are hearing but hardly any are listening. Special Interest Groups that exist tend to be full of techies most not focused on the business issues. We need more Executive Management involvement and the willingness of those executives to share.
On the legal side, our Parliament has drafts that keep going back for review, which is delaying any legal leverage for business accountability.
ICTP: Finally, what do you believe should be the next steps in Trinidad and Tobago, and/or in the wider Caribbean, to move national (and/or regional efforts) on cyber security in the right direction?
AM: I have always believed that the Central Banks of the region should get together to drive these initiatives. They are best placed to advise governments and businesses. Also, they are well connected with similar agencies outside of the region where they already share information and best practices. Things I would like to see the Central Banks do are as follows:
- Establish and manage a Root CA for CARICOM. This can be hosted in Jamaica or Barbados as they are better prepared for natural disasters.
- Establish Education and Compliance Guidelines for Cyber Security and monitor it.
- Establish a committee (I don’t like committees) of business and government stakeholders to share knowledge and strategy.
Do you have any questions for Aaron, or views you would like to share? Please do so in the Comments area below.
Looking forward to your feedback!
Image: Victor Habbick / FreeDigitalPhotos.net