Expert Insights 2: Cyber threats and security in the Caribbean 2016 update (part 1)

We continue our conversation with network/IT security professionals – our second instalment – on network intrusion and security in the Caribbean, in the hope of gaining new insights for 2016.
In this the second in our Expert insights series for 2016 in which we discuss matters related to cyber threats and security in the Caribbean, we are thrilled, once again, to have Hector Diaz of Intel Security. Intel Security, which is still more popularly known as McAfee, is a globally recognised and well known computer and network security software firm. Intel Security’s Caribbean office is in the Dominican Republic, which serves the Dominican Republic, Puerto Rico, all of the West Indies, and Bermuda. Hector is Intel Security’s Regional Account Manager, Caribbean. He has  extensive experience in the IT security space, and possesses a diverse skill set that includes a strong technical background in infrastructure and security. Further, he has access to the depth and breadth of intelligence that a firm, such as Intel Security, can offer, which strengthens the insights he can share. Below is the first part of our Q&A session with Hector.

ICT Pulse:  It has been two years since our last Expert Insights Series, give us a quick recap of what have been the most prevalent types of incidents in the Caribbean region since 2014?

Hector Diaz:  Based on the information that we collect through our Global Threat Intelligence Network, after three quarters of decline, the number of new malware samples (worldwide) resumed its ascent in Q4 2015, with 42 million new malicious hashes discovered, 10% more than in Q3 and the second highest on record. The growth in Q4 was driven, in part, by 2.3 million new mobile threats, 1 million more than in Q3.

An important percentage of these types of threats are prevalent in the Caribbean region, especially:

  • Ransomware: based on the concept of encrypting personal/important information, we have seen a 26% increase in new ransomware samples in Q4 2015. The reason? Opensource ransomware code (for example, Hidden Tear, EDA2) and ransomware-as-a-service (Ransom32, Encryptor) make it simpler to create successful attacks. TeslaCrypt and CryptoWall 3 campaigns also continue, making this the main concern of Caribbean Organizations and probably one of the threats that keep security admins up at night.
Figure1: New and Total Ransonware in 2014 and 2015 (Source McAfee)
Figure1: New and Total Ransonware in 2014 and 2015 (Source McAfee Labs)
  • Macro malware: a relic of the 1990s that is now seeing a resurgence due to the continued use of macros by enterprises coupled with the increased sophistication of social engineering attacks that are propagating new, stealthier macro malware. A macro is a shortcut used to automate a frequently performed task. It is a piece of code embedded inside a document—typically a Microsoft Office document—and is usually written in the programming language Visual Basic for Applications. When a macro is recorded, it is actually generating a program in Visual Basic for Applications. Today’s macro malware attackers primarily leverage phishing email attachments, as well as spam campaigns, compromised web pages, and drive-by downloads to distribute their malware. These techniques are now far more sophisticated than they were in the 1990s, when macro malware first emerged. It has become quite difficult for users to spot these campaigns because they are targeted, short lived, and contain carefully designed attachments that avoid detection.
Figure 2: New Macro Malware in 2014 and 2015 (Source McAfee)
Figure 2: New Macro Malware in 2014 and 2015 (Source McAfee Labs)
  • Mobile:  with the rising adoption of Smartphones, tablets and other connected devices, in the Caribbean region, we have seen a 72% increase in new mobile malware samples (Android-oriented).. We believe that Google’s August 2015 notification that it would release monthly updates to its Android mobile operating system forced malware authors to develop new malware more frequently in response to the enhanced security in each monthly release of the operating system.
Figure 3: New and Total Mobile Malware in 2014 and 2015 (Source McAfee)
Figure 3: New and Total Mobile Malware in 2014 and 2015 (Source McAfee Labs)
  • Insider Threat: continues to be one of the most important in the threat landscape. With the adoption and evolution in the way we compute, datacenters and users are no longer the same closed structures as in the past. Today we need to face that a company’s information is either virtualized, residing in the cloud or moving around multiple types of devices that are often not inside a company’s premises. Visibility, control and situational awareness are three key areas where Security administrators are investing a lot of time and effort.
  • Skills shortage: and last, but not least, companies facing this computational evolution along with the increased complexity of the threat landscape have a growing interest on what is being done to protect and defend their top non-human asset: information. Support for growth in cybersecurity staffing is here; the problem is that the pool of skilled cybersecurity talent is facing a drought in the region. It is very common to have very limited human resources dedicated to cybersecurity (if at all companies have people specifically assigned to those duties). We have to admit that most companies are working to change this situation. In addition, about half of companies are immature in their security operations and 86% are driving to evolve and mature their security solutions.
Figure 4: 2016 Cybersecurity Skills Gap Infographic (Source ISACA)
Figure 4: 2016 Cybersecurity Skills Gap Infographic (Source ISACA)

ICTP:  How has the threat landscape changed over the past two years? Are there any particular areas of concern that you have for Caribbean organisations?

HD:  The increase in the amount and complexity of the computing services that companies are offering to the public or for internal consumption, think about, Internet Banking, ATMs that can now receive deposits, Mobile apps, cloud services for multiple purposes, virtualization and the mobile worker that can connect and compute everywhere is causing concern on the level of effectiveness that the ICT teams may have in the event of an incident.

An overwhelming volume of malware is reaching endpoint systems, especially when they travel off-network. New and emerging threats, specifically designed to get past traditional security (AV, firewall, URL filtering  etc.) defences, result in a hectic and reactive “firefighting” IT security environment that pulls IT security resources away from more strategic activities.

IT security wants to reduce the number of resources needed to manually piece together data for investigations and thus improve response times. If we think about it for a second, most companies have invested responsibly in capabilities, aligned against threats/risk, yet they have little sustainable advantage over adversaries. They’ve got all the right countermeasures, but the friction and fragmentation they are required to overcome is leaving the combat ineffective.

Based on this reality, one area where this challenge is very visible is in incident response – Security teams are overwhelmed in a constant state of firefighting – exceeding their capacity. This is why many organisations are shifting their investments from primarily protection to a balance across protection, detection, and correction. We can think of Incident Response as a funnel with events entering at one end and over time, ultimately being eliminated at the other. Through this funnel we have the 3 stages of threat mitigation: protect, detect and correct.

  • Protect: Do their best to prevent incidents – zero-days, insider threats, and targeted attacks — from happening.
  • Detect: Identify important events and true incidents as quickly as possible.
  • Correct: Respond quickly and fully, limiting damage.

I personally think that this new “mindset” is what drives most companies this year.

ICTP:  At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and calls by leaders that something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in the region? What might still be missing?

HD: As you know, at a government/law level, things take time and require consensus. Last march, CARICOM had a regional cybersecurity meeting that attracted a number of experts from Interpol, FBI and some other technology actors.

We have also seen a number of efforts across the region to promote Cybersecurity at the state level with multiple initiatives and we as intel Security have participated in several meetings where IT security is a top priority.


Part 2 of our Q&A session with Hector Diaz of Intel Security Caribbean will be published on 13 May 2016.

In the meantime, do you have any questions of comments? Please share them below.


Image credits: