We continue with our 2014 update on insights from network security experts from across the Caribbean.
In this the second installment in our 2014 expert series, we engaged Aaron Manzano, who participated in our 2012 exercise. Aaron is an IT/network security professional with over 30 years’ experience in the field. He specializes in areas such as IT Operations and Management, Network Design and Implementation, Information and Network Security, and Systems Development and General Management. Currently, Aaron is based in Trinidad and Tobago and is the Director of HMP Consulting.
ICT Pulse: Give us a quick recap of what were the most prevalent incidents in Trinidad and Tobago and/or in the region in 2013?
Aaron Manzano: As in previous years, most of the incidents are still kept quiet. There continue to be attacks and some breaches of Government sites. Debit and credit cards fraud has increased to the extent that the local banking association has done some thorough, albeit limited, public awareness campaigns. Insider fraud and unauthorized information leakage have also fueled the awareness campaign, though limited to the institutions affected.
However, the most disturbing part is the handling of the “Emailgate” affair. It not only showed the limitations of law enforcement, legislation, and the impact of political distraction, but it also highlighted a significant lack of competency and of quality of ICT professionals, especially those offering opinions and/or solutions.
ICTP: Although we are still early in 2014, how is the threat landscape changing? Are there any particular areas of concerns that you have for Caribbean organizations this year?
AM: Professionally, I don’t think anything major has changed. What we are seeing is new flavours of the same thing. What has happened is a new awareness of Big Brother, though the appreciation is not perceived as a threat.
What I do expect is some level of emulation of what larger Governments have been doing covertly by smaller states. Without the appropriate legislation for the individual liberties, coupled with the state’s responsibility to protect against crime and unforeseen risk, smaller states can find intrusive monitoring and screening creep into everyday life quietly. Because of their small size, the voice of protest tends to be murmurs. If 0.01 % of any population has the voice of protest, then in Trinidad, that would 100 persons. For a country with a population of 100,000, then that number is 10. No matter the size of the country, protest only has an impact when the number of people involved can be noticed.
ICTP: At the CARICOM level, there appears to be a growing awareness of cybercrime and calls by leaders that something be done. In your opinion, have there been any improvements in the cyber security-associated resources or support structures in Trinidad and Tobago, and/or perhaps regionally? What might still be missing?
AM: There has been no real impact.
The organizations that had this as a concern ten years ago, or five years ago, are still the ones that have it today. What’s really forcing Governments to address change are compliancy issues for traditional markets that make it harder to trade if you can’t satisfy those requirements. The cost of reporting, new competitors, and eroding markets, have a real impact on GDP. Not being able to keep up with treaty commitments means being blacklist and labelled something unflattering. This economic impact is what’s pushing governments and business leaders and; it is not limited to ICT, though in many cases ICT is hailed as the champion.
ICTP: Are you observing any real evidence of a greater willingness among organizations to take cyber/network security more seriously? How is that awareness (or lack thereof) being manifested?
AM: I think I answered this question earlier but I hedge a bet that Snowden has gotten people wondering, to the point that Board Members/Executives are asking questions but not yet testing the answers.
ICTP: Are there any key areas businesses should be investing their network security/IT dollars this year?
AM: Most organizations should push on Organizational Responsibility, Individual Awareness and Education. Mobile devices, faster broadband and the penetration of social networks blur the work/home divide. The average user (and maybe we should start saying, consumer of data) finds it hard to accept that there is a difference between “what I do at work” and “what I do at home”. We have done a great job of making cyberspace a separate place; that is pervasiveness is not really recognized except for marketing or political campaigns. Social networks reinforce this and the advent of Business Social Networking software has individuals wondering “what the is point?” – I might as well use Facebook, it does the same thing and I don’t have to think about it.
That been said, it is time to put efforts on Rights Management, Content Management and Policy Conformance especially for anyone operating in the cloud. Many people save documents as PDF files to reduce the likelihood of someone else editing it. This is very individualistic. Right Management (RMS) goes a lot further than this. Its intent is to be pervasive, not limited to the organization, but to reach everywhere. Based on an organization’s policies, documents can be tagged with the people allowed to open, change, print or email them, and if the work flow is automated, these states can change as it moves through the process. For example, the ability to collect credit card numbers might only exist at the document creation stage and is not visible again until a Credit Officer reviews it. At the same time, Mr. John Doe, can access that information (he being its subject), once he can be verified. This is a simplistic example, however though RMS it is possible to continue to protect a document/ data indefinitely. For legacy documents that cannot be tagged there are systems that can examine the content each time it is touched or transitioned in a workflow state. These systems are not perfect, there are still cross border and jurisdictional issues to be resolved, not to mention the significant interest of groups like the music industry lobbies that would also need to be addressed.
Using RMS in the cloud or on-premises also highlight another point: Product Features. When our focus was on the desktop, we probably only used 10 % of the features of an application. On the server side, the application was acquired for a specific function, and all other features were typically ignored. Now, the cloud has both the server and the client (desktop/browser): it is feature-rich and even more underutilized. The vendors thought that the cloud would have brought software metering and billing, based on the features utilized. Instead, the availability and the enhancements of the feature set has become a key selling point. The potential of misconfiguration, or even non-configuration on the assumption that the vendor would have done it, is not obvious until IT gets asked “how are we addressing this?”
Still, each major vendor has some level of culpability in this regard. Compliancy requirements in the US and EU have ensured that developers either possess the required capability, or have a roadmap for its implementation. E.g. the ability to place message in a hold state, if the content can expose an organization to litigation, or prevent its deletion until its retention is no longer required legally, exists in all major cloud email solutions. It up to IT Strategists to recognize the need, and for Consultants/Vendors to spend the time to educate and advocate its use. There are a large number of products and services that duplicate or augment existing capability. Refreshing your knowledge of what you have can potentially reduce cost and optimize implementation, while reduce your risk surface.
Do you have any questions for Aaron? Do you agree with this views? Do share your thoughts in the Comments section below.
Looking forward to your feedback!
Image credit: jscreationzs (FreeDigitalPhotos.net)