Having taken a break last year, we are updating our series of discussions with network/IT security professionals on network intrusion and security in the Caribbean, in the hope of gaining new insights for 2016.
Over the past several months, we have noted an increase in network attacks that have been occurring across government offices and private organisations in the Caribbean. Some of the incidents have been reported in the press, but no doubt, countless others are not publicly discussed, but nonetheless have crippled the affected organisations, and hopefully has been a sobering wake-up call regarding the threats that exist. We, here at ICT Pulse, thus thought it opportune engage network security specialists across the Caribbean, to secure some firsthand insights and advice on cybercrime and cybersecurity across the region,
We are thrilled, once again, to launch our 2016 cybersecurity Expert Insights series with Niel Harper. Niel is the Founder and Managing Director of Octave Consulting Group, a boutique advisory firm specializing in CIO advisory, cybersecurity, IT assurance and information risk management services. He has had management responsibility, consulting engagements, and short-term assignments in over 20 countries. He is a Fellow to: the British Computer Society; the OECD Technology Foresight Forum; and the Royal Society of Arts. He is an Incorporated Engineer (IEng) registered with the UK Engineering Council, and holds a number of industry certifications in information security, IT auditing, and business continuity management. In 2014, Niel was recognized by the World Economic Forum as a Young Global Leader. He has worked with organizations such as the Internet Society, United Nations Volunteers, Cable & Wireless, AT&T, Bermuda Commercial Bank, CIBC, and the Internet Engineering Task Force.
ICT Pulse: Niel, it has been two years since our last Expert Insights Series, give us a quick recap of what have been the most prevalent incidents in Barbados and/or in the Caribbean region since 2014?
Niel Harper: Over the last 2 years, various government web sites in Barbados have been compromised and defaced by hackers. Websites included the Barbados Government Information Service (BGIS), Barbados Stock Exchange (BSE), Barbados Revenue Authority (BRA), Royal Barbados Police Force, and the Barbados Supreme Court, to name a few. Private websites such as the Barbados Advocate were hacked as well.
There are still no data protection laws in the country, so due to absence of mandatory breach notifications, the few reported incidents are only the tip of the iceberg. The prevalence of ATM skimming attacks have also increased. However, because the marketplace is dominated by mostly Canadian banks, Sarbanes-Oxley regulatory requirements have led to stronger controls, and many of the skimming attacks have resulted in arrests.
In the wider Caribbean, there have been similar trends of government websites being compromised. A number of organizations in St. Vincent, Grenada, St. Kitts & Nevis and other countries have been subject to malicious online attacks. One of the major commonalities across the region is that organizations with limited resources and untrained personnel have been the targets of successful attacks. This is a key reason why capacity building is critical to improving the region’s overall cyber response capabilities.
ICTP: How has the threat landscape changed over the past two years? Are there any particular areas of concern that you have for Caribbean organisations?
NH: The smartphone footprint continues to grow and with it the attack surface of mobile devices. That being said, many device manufacturers are focusing their efforts on enhanced security as a product differentiator. Still, end user education is necessary as an additional layer of protection against malicious threats.
Given the increased hardening of operating systems and applications, attackers are focusing on areas lower down the ‘stack’ such as BIOS, firmware, and graphics chipsets. Controls such as boot security, trusted execution, and active memory protecting are making these attacks more difficult, but I expect these types of threat vectors to increase.
Newer technologies such as IoT (Internet of Things), M2M (machine-to-machine) communication, Network Functions Virtualization (NFV), and Software Defined Networks (SDN) are growing in terms of their deployment base. But this also introduces significant challenges in terms of security: single points of failure, open source software, and complexity. The fact that commonly used items such as televisions, refrigerators, and even automobiles, are now accessible through the Internet has vastly changed the threat landscape, and should force manufacturers and end users alike to focus more on cybersecurity.
The explosion of cloud computing, the increasing popularity of crypto-currencies, and the emergence of mobile payments (e.g. Apple Pay, Google Wallet, etc.) are also areas for concern with regard to an expanding threat surface.
All of these areas are of particular concerns for Caribbean organisations, especially those who are seeking to be on the cutting edge.
ICTP: At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and continued calls by leaders that something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in Barbados, and/or perhaps regionally? What might still be missing?
NH: I don’t want to be the harbinger of doom, but from all accounts, there is still not enough of an urgency or commitment being demonstrated by regional leaders as it pertains to cyber security. Most all CARICOM countries have no national cybersecurity strategy or centralized function/organization that is tasked with cyber incident response. While many countries have some legislation in place in terms of computer misuse, there are material deficiencies with regards to procedural law, legal interception, and computer forensic evidence collection. There continues to be wide scale delays in implementing data protection and privacy legislation (include responsible disclosure). Mechanisms in the private and public sectors for cyber defense coordination are virtually non-existent. Cyber security awareness is frighteningly low, and governments have not generally diverted sufficient resources to the development of national cyber security education. As a result, there is limited trust in key economic drivers such as the use of online services, e-government, and e-commerce. The aforementioned issues exist in Barbados as well as across the wider Caribbean.
ICTP: Are you observing any real evidence of a greater willingness among organisations to take cyber/network security more seriously? How is that awareness (or lack thereof) being manifested?
NH: To be quite honest, the organizations that take cyber/network security are mostly the ones in heavily regulated industries such as financial services (mostly North American banks). Because of the high financial, operational, reputation, and regulatory risks, they are pretty much forced to apply concerted efforts to improving their security posture. Their entire status as a going concern is dependent on this. What I am seeing in other organizations is a lackadaisical approach to cyber security. Most organizations don’t have roles such as Chief Security Officer, Head of IT Risk, or IT Auditor. The expectation is that the Network Administrator should be a security specialist (a clear violation in terms of segregation of duties). Additionally, cyber/network security is not even a topic in many executive committee meetings or at the Board level.
ICTP: Have you observed any changes in end-user behaviour? Do you think IT staff have done enough sensitisation to bring about behavioural change in their users?
NH: Security awareness is not a common practice in many organizations in developed and developing countries. A bevy of industry surveys have highlighted that a large percentage of companies do not even have security awareness programmes in place. In the 2016 Cybersecurity Report published by the OAS and IDB, security awareness was cited as a major deficiency in the majority of CARICOM states. Hence, my belief is that there is still much work to be done in terms of positively altering the risky behaviors of end users.
ICTP: As you are aware, there has been considerable concern and discussion about ransomware. If there is one thing people should know about this threat, what would that be? Can organisations recover their network data that has been corrupted by ransomware? What would be your best advice to minimise the effect of ransomware?
NH: The one thing people should know about ransomware is that it is highly unlikely that they will be allowed to pay in fiat currencies (attackers are requesting payment in Bitcoin more and more). When I speak to my customers about recovering from ransomware, my primary advice is that they have an effective data backup and recovery scheme in place. The best way to recover from ransomware variants such as TeslaCrypt, Cryptowall or Cryptlocker is to ensure that you have recent copies of your data backed up to tape or disk (and encrypted if at all possible). I also advise them to deploy hardened desktops and servers, as well as ensure that all applications have recent patches applied.
ICTP: Finally, are there any key areas businesses should be investing their network security/IT dollars this year?
NH: I would say that the best investment as it pertains to cyber/network security is in highly trained staff. A top-tier cyber security specialist will have the necessary knowledge and experience to adequately and effectively secure computing environments to best mitigate risk exposures from online threats.
Do you have any questions for Niel, or views you would like to share? Please leave them in the Comments section below.
Looking forward to your feedback!
Image credits: CyberHades (flickr); Niel Harper