This is the first in our series seeking insight from network/IT security professionals across the region on cyber intrusion and security in the Caribbean.
About two weeks ago, LIME customers in Barbados experienced some degradation of their broadband service. The cause: “a deliberate attack on the internet infrastructure by an external source”, LIME revealed in a press release issued after systems were well in the process of being restored. As expected, LIME sought reassure customers that the distributed denial-of-service (DDoS) attack of their systems…
… was not widespread and that our servers have not been compromised. Our firewalls are robust and are configured to international standards. In fact, to guard against these types of attacks we have increased our defences both locally and internationally… (Source: LIME)
However, appreciating the considerable resources to which a company like LIME has access, and the concerns regularly being expressed that the Caribbean has become a haven for cyber criminals (see Where is Internet Governance going in the region?), we in the region might not fully understand the extent to which we are highly susceptible to a broad range of cyber threats and intrusions. Hence ICT Pulse will be asking IT/network security professional across the region their views on this critical issue.
To kick off this series, we posed a few questions to Niel Harper. Niel, who is based in Barbados, has over 16 years’ experience in Telecommunications Engineering, Information Security Management, Business Continuity Management, Enterprise Risk Management, and ICT Regulation and Policy. He was worked for organizations such as Cable & Wireless, AT&T, Cingular Wireless and CIBC First Caribbean in the region.
Should you have questions you would like to pose to Niel, or views you would like to share, please do so in the Comments area below.
ICT Pulse: How prevalent do you think cyber intrusions are in Barbados, and in the wider Caribbean?
Niel Harper: Precise figures are hard to provide due to the fact that many companies in Barbados and the wider Caribbean do not report breaches. This can be due to numerous reasons, ranging from the reputation (regulatory consequences and service outages) and financial (share prices hits or revenue decreases) risks associated with the compromise of private information, to the fact that there are no pervasive legislative frameworks which mandate that firms report breaches to government or to their customers.
However, I would say that approximately 60% of organizations in the region have had at least one security incident over the last 1–2 years. This is mainly due to the growth in online data, as well as the increasing sophistication and organization of attackers. Other key factors are poor security practices, insufficient training and support, and the continuing use of unpatched or out-dated software. Comparatively, the statistics for personal users may be even higher given the significantly weaker or non-existent security controls present in many home computing environments.
ICTP: Based on your experience, what are some of the common misconceptions that organisations have about network security?
NH: The most common misconception about network security is that technology alone can provide adequate, effective and sustainable protection for information assets. An effective network security program encompasses people, process and technology. In the context of staffing (people), it is all about how you rationalize your IT security skill requirements to effectively address evolving security threats. This rationalization should allow for the creation of a baseline which characterizes, at a bare minimum, the core competences that IT security practitioners should possess to perform specific roles and responsibilities. These roles should be created, properly staffed and subject to on-going training.
Aside from security practitioners, end-users should be exposed to education programs which foster awareness of the importance of security, as well as promote constant vigilance to prevent online fraud. From the process standpoint, there should be policies, procedures and guidelines in place which serve to govern the use of information and communication technologies. These processes should be explicit (non-ambiguous), consistent and enforceable. And finally, the technology that exists to prevent, detect and to some degree, correct security attacks is becoming more and more advanced. However, without a focus on people and process to compliment the technology, a firm’s network security posture can be tantamount to having a gate with no sentry.
ICTP: Are there any hardware and/or software solutions that you believe might be more effective in addressing cyber intrusions?
NH: I tend not be an advocate of any particular vendor solution or software product, especially given the rampant commoditization in the industry. However, what I will zero in on is the importance of ‘defence-in-depth’. This is in essence the layering of security technologies to provide a more comprehensive array of controls to better protect an organization’s information assets.
Here is a quick example: The perimeter of a company can be protected by firewalls, which are bolstered with network intrusion detection / prevention systems. Internet facing assets such as web servers can be located in a DMZ (demilitarized zone) to prevent access to the internal network if these nodes are compromised. High risk assets (general ledger systems, core banking systems, payroll systems, etc.) can be segmented further by placing them behind internal firewalls with very tight rules which only allow access by a limited number of other services or users. Network access control (NAC) or port-based authentication can be instituted to force any device that plugs into the network infrastructure to be authenticated. And other controls can added such as anti-spyware, anti-virus, host-based firewalls, host-based intrusion detection systems and so on, to provide ‘layers’ of protection which make it more difficult for attackers to access confidential information.
However, the degree of layers put in place is highly dependent on the value of the information assets to be protected and the capital funding available to purchase these software / hardware solutions. One principal tenet to bear in mind is that a control should never cost more than the information asset that it is protecting.
ICTP: Are there any cyber security-associated resources or support structures you believe are lacking nationally, in Barbados, and/or perhaps at the regional level?
NH: On the national levels (Barbados included), there is insufficient capacity for cyber security response. When I say insufficient capacity, I am referring primarily at a high-level to the absence of a distinctive authority or institution responsible for cyber security. This means an organization with clear mandates, appropriate funding, trained personnel and the capabilities to address and respond to national security incidents.
What are also needed are public-private partnerships to facilitate resource sharing and support structures between governments (who have limited funding and inadequate structures) and the private sector (whose capabilities are usually in a more evolved or mature state). And finally, I would also say that technical assistance or international cooperation partnerships are lacking as well. These represent the ways and means for governments to benefit from the funding, training and other means of support available from the international community.
ICTP: To wrap up, is there any one tip you could share that could reduce the risk of cyber intrusion to organisations, or even to the personal user?
NH: I would recommend that organisations, as well as casual users, take steps to classify the information which they store on their computer systems. Information classification is the basis for developing any security regime. It is basically the categorization (e.g. Top Secret, Confidential, Internal, and Public) of the various forms of information which are kept. Each category of data should have an owner; the owner should then determine who is allowed to access the data and what level of protection should be implemented to protect the data set.