Expert insights 1: Cyber threats and security in the Caribbean 2013 update
We revisit our discussion with network/IT security professionals on cyber intrusion and security in the Caribbean, in the hope to gain new insights in 2013.
A few weeks ago, the Guardian Newspaper in Trinidad and Tobago published an article, “Caribbean cyberttacks on the rise?”, in which it listed 20 cyber crime stories that were reported between April 2012 and March 2013. Unlike previous years, where they might be just a handful of news reports on unauthorised intrusions, at the very least, more of them are finding their way into the public domain, which hopefully is fostering greater awareness of cyber threats and the need for greater vigilance and security.
When we launched our Expert Insights series last year, we asked network/IT security professionals across the region about cyber intrusion and security in the Caribbean, in the hope of gaining a better understanding of among other things:
- the prevalence of such intrusions and threats in the region
- key misconceptions organisations tend to have about network security, and
- solutions tat could be considered.
We kick off the 2013 update of this series with Deon Olton. Deon, who is based in Barbados, has over 18 years’ experience in IT field, including over 10 years as a Telecommunications and Network Vulnerability Consultant. For the last five years he has been an EC-Council Certified Ethical Hacker. Currently, Deon is the Co-Founder of the Caribbean Cyber Security Centre (CCSC), which was officially launched earlier this year, and offers a comprehensive suite of network testing services.
ICT Pulse: Deon, in the last year there have been numerous reports of intrusions across the Caribbean – both on government and private sector networks. Based on your work in the field, do you think incidents have increased, or is it just a case that more information is reaching the public domain?
Deon Olton: It is definitely the case that incidents have increased and will continue to increase and get more damaging unless both the public and private sectors start to take decisive action in addressing a wide range of security weaknesses and vulnerabilities. Based on our understanding of the cyber-attack progression we at the Caribbean Cyber Security Center are convinced that the recent cyber security attacks in the region are the reconnaissance activities for a pending major cyber-attack.
ICTP: Over the past year, have you witnessed any increased awareness or concern among organisations, or even individuals, regarding cybercrime and security?
DO: The level of awareness and concern within the region is lower than expected since cyber threats represent one of the greatest threats facing the economies of our region. Our IT Leaders appear to be stuck in the “academic” zone in regard to handling the cyber threat, which evolves “daily” at a much higher rate. We simply have to move beyond regional forums, expos, conference and the like, and start the process of improving regional cyber security awareness both in the public and private sector. Secondly, regional private and public sector organisations need to start requesting independent IT Risk Assessment and IT Security Awareness Training programs. All of these services are provided by the Caribbean Cyber Security Center (CCSC) to help improve system security for companies of all sizes at cost effective rates. The cost of doing nothing totally outweighs taking proactive steps to assess networks and remediate all identified vulnerabilities.
ICTP: Have you observed any patterns or commonalities in the types of intrusions that have been prevalent in Barbados, or possibly across, the region?
DO: I think the attacks we are seeing are recon efforts for something much biggest and damaging to come. Today hackers are increasing breaching networks and staying dormant in places like memory until they are ready to strike. The truth of the matter is that many government networks do not have adequate intrusion detection solutions in place, and those that do have them have not implemented them in a security framework that looks at both the external and internal intrusion threat, and as we know, the greatest intrusion threat is always from the “inside”.
ICTP: Many organisations, especially our SMEs, that recognise the importance of network security, can be challenged by budget limitations, vis-à-vis the likely cost of a comprehensive suite of solutions. What advice would you share, in terms of how best to spend their modest allocation for network security?
DO: With shrinking budgets in challenging economic times IT Security is placed on the back burner and hence cyber security is not viewed with the required sense of urgency, but ICT leaders in the region have to find ways to convince management of the risk that exists. One easy way to get past the budgeting and cost challenges is to partner with new regional IT Risk Assessment providers who have your company’s interest at heart. New regional entrants, the Caribbean Cyber Security Center (www.caribbeancsc.com), have all of the technical resources in-house and hence the cost of having a comprehensive IT Security program is no longer a dream but an almost instant reality. CCSC offers comprehensive IT Security Risk Assessment and IT Security Awareness Training to help you improve your IT Security Posture. The CCSC suite of services are geared to create a baseline and quickly and efficiently create and implement an IT Security Roadmap that suits your company’s need for Confidentiality, Integrity and Availability.
ICTP: Finally, is there any single emerging trend or type of threat that you would flag as requiring extra vigilance in the region?
DO: Over the past months there has been a spike in defaced websites which has not result in the necessary improvements in IT Security across the affected sectors. These exploits are all similar and appear to be an organized and calculated attack on the Information Systems Assets. Clearly the perpetrators have little regard or respect for the level of IT Security. Generally when a hacker defaces a website it is to send a message. Defacing a website is like the last straw, this normally means:
- Poor physical security – not a challenge to hack
- No detection systems – they have free access
- They can compromise whenever they feel like.
Do you have any questions or comments for Deon? Please share them the Comments area below.
Image credits: chanpipat / FreeDigitalPhotos.net; D. Olton