Expert insights 3: Cyber threats and security in the Caribbean 2017 update
Our 2017 Expert Insight series on cybersecurity in the Caribbean continues – the third in this year’s series – with Sean Slattery, a network/IT security professional based in the Cayman Islands.
Sean Slattery is founder and CTO of Caribbean Solutions Lab – a cybersecurity service provider that helps businesses throughout the Caribbean and North America to defend and protect themselves from cyber threats. Based in Cayman for nearly 20 years, Sean has spent the last nine years focused purely on cybersecurity, holds a US Government Secret security clearance, is an FBI Infragard member and regularly delivers cybersecurity presentations. Sean was also a McAfee instructor for five years.
ICT Pulse: Sean, give us a quick recap of what have been the most prevalent types of incidents in the Cayman Islands and/or in the Caribbean region over the past year or so? How has the threat landscape changed?
Sean Slattery: Ransomware is still the most well known and headline-making malware threat. While phishing remains the preferred delivery method, we have also seen a noticeable increase in mobile based and targeted threats. With respect to phishing and mobile threats, the bad guys are definitely improving their skills notably in language. It is now rare to receive an email in broken english. The messages and sites are well crafted, very targeted and nearly indiscernible from a legitimate one. Consistent user training, security awareness and developing a distrust for the Internet communications remain the best countermeasures. The latter being the most difficult for the Caribbean as we are inherently quite trusting due to our smaller communities. The targeting of financial institutions continues to be popular in the cybercrime playbook. Many in the Caribbean believe that we aren’t targeted. I have first-hand evidence that we are indeed targeted. Also, we have been able to compare data with our US and European peers and see that regional activity, campaigns and attacks match theirs. Not only are we targeted but we are also enjoy the benefits of being associated with the larger jurisdictions. In the end, a bank account, credential, computer is valuable to cybercriminals regardless of location. The Internet is a great leveler in that regard.
ICTP: Over the past year, ransomware incidents appeared to have been quite plentiful across the region. Are they still as huge a threat?
SS: Yes, ransomware is still quite prevalent, simply because it works. The reality is that ransomware pays very well – an estimated $1 billion and 400 new variants in 2016 alone. Understand that cybercrime is a business, a big business in fact. If no one paid the ransoms the business model would fail. Clearly people are paying the ransoms.
ICTP: What are some of the new and emerging threats of which we should be more aware? And are there any particular areas of concern that you have for Caribbean organisations?
SS: There is a natural evolution to the industry. As the saying goes, when you build better mousetraps, you will get smarter mice – wash, rinse and repeat. In addition to the improving existing techniques, a few things come to mind. Fileless malware is a particularly interesting threat. This type runs completely in memory and leaves virtually no trace for a traditional antivirus to detect and action. firmware attacks. We are also seeing improved automation used by cybercriminals to generate malware. Let’s not go into the nuances of AI (Artificial Intelligence), mathematical modeling and machine learning but suffice it to say, that the bad guys are taking a page out of our own playbooks and using it against us. Another emerging type threat, on our radar, is based in firmware. We’re referring to the software that sits inside of the hardware chips that run our computers, home audio/visual equipment, cars, etc – the Internet of Things – IoT. Face it, everything is or has a computer now. Being able to validate, prove and continuously monitor the integrity of that new server, firewall or router you purchased is increasingly important.
ICTP: At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and calls by leaders for something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in the Cayman Islands, and/or perhaps regionally? What might still be missing?
SS: I agree that regional awareness is improving but is only part of the battle. An impacted business’ customers will care more about action than awareness. Locally, the Cayman Islands government has embraced cybersecurity and is driving adoption of the NIST framework from the top down. We continue to have success with a threat sharing network of local organizations. When a member is targeted or experiences a threat, pertinent information is quickly shared to the benefit of others not yet targeted or impacted. In a way, the more the group is targeted the safer it becomes. The biggest challenge we see with organizations is the propensity to consider cybersecurity an IT problem. Cybersecurity is a business problem that affects the board, shareholders, legal, compliance, HR to name a few non-IT areas. Only a handful of organizations have recognized this and taken action by establishing cybersecurity departments or teams. From a technical perspective, a cybersecurity group or team needs to include endpoint (desktop/server), network, and application stakeholders. Often these might actually be outsourced positions or fulfilled by service providers and that is OK too.
ICTP: Does it even make sense for small companies to send their network administrators to security training courses when security is not their full-time job, and given the pace at which the security landscape is changing? Or should such companies just accept the fact that they need to outsource this function?
SS: Where possible, SMB’s should definitely invest in cybersecurity training for their staff. There are many affordable online or computer based training resources. It should be a matter of HR policy to conduct annual security awareness training for all staff. Outsourcing can be a bad word for small businesses. Supplementing security from, partnering or teaming with a cybersecurity provider can be a more palatable term! Seeking help or external expertise is not a sign of weakness. It is actually a sign of maturity. Organizations should seek to work with cybersecurity providers or IT providers with dedicated cybersecurity teams. Simply outsourcing security to an all-purpose IT provider is insufficient – jack of all trades, master of none.s with any physical skills, mental skills must be regularly practiced or risk atrophy. Cybersecurity is no different in the context of general IT.
ICTP: Do you agree that user naiveté is the number one security threat facing organisations? If not, what do you think is the most significant threat?
SS: User naivete is certainly a major factor but a larger issue is business naivete, particularly at senior/board levels. In addition to the previously mentioned notion of security being an IT problem, users including board-level ones often fail to recognize the importance of cybersecurity to the business. A user only has to not receive their pay following a ransomware attack they inadvertantly caused by opening a file to recognize the business impact. Another area of significant naivete is the outdated notion that having a firewall, antivirus, web and email security systems is sufficient. You can be sure that in every headlining breach or attack, every one of those organizations had those tools in place, and yet they were still impacted. Insanity is doing the same thing over and over and expecting a different result. Please let’s stop the insanity!
ICTP: Should any organisation still be using tapes for data backup purposes?
SS: Great question and yes! With technology advances in hard drive and cloud-based storage, it is easy to overlook the value of offline backups – tapes still being the most cost effective. Tapes are easy to transport, offer high capacities and difficult to infect with malware such as ransomware. Do not forget to regularly test your backup systems! In the words of Andrew Tanenbaum, “Never underestimate the bandwidth of a station wagon full of tapes hurtling down the freeway.” Sometimes sending a few terabytes of tapes by FedEx is more efficient than sending that same data across the network or Internet. Disaster recovery and business continuity do not change in response to the event. That event might be a hurricane, plumbing leak, disgruntled employee or major ransomware attack. Online or near-line backups are great tools but you can never have too many copies of your critical data. Do not forget to regularly test your recovery procedures. In the Caribbean, we are used to practicing for hurricane season, but the more often this is practiced the faster the recovery process will run in the event of an actual disaster. In general, I recommend that all organizations be able to recover minimal core functions within 24 hours and secondary functions within 48 hours.
ICTP: And finally, what are the top three (3) things businesses should be doing this year to improve your network/IT security?
SS: Hmm, picking just three is tough! Let’s go beyond the usual angles of board-level/business awareness, establishing policy and user training.
First, let’s accept that every organization will suffer a breach or significant cybersecurity event sooner or later. Short of gross negligence it isn’t going to be anyone’s fault – it just is. As a potential customer of said organization, I accept that. However, I would want assurance that the event was quickly detected, contained and mitigated. It is paramount to learn from the event to help prevent a similar recurrence. Ensuring cybersecurity staff/groups/teams are regularly informed and stay abreast of the industry trends is the key here.
Second, let’s finally accept that firewalls, antivirus, web and email systems are insufficient. Firewalls and antivirus were invented over 25 years ago to address problems from 25 years ago. Just as we cannot expect a delivery service today to run on horse and carriage, we cannot expect yesterday’s tools to protect against tomorrow’s or even today’s threats. Organizations should look to invest in complementary and advanced tools that not only provide additional layers of security but can do so in a way that is easy to use and can even save time. Look for terms like AI, machine learning, and mathematics. This can be endpoint, network or even cloud based. Partnering with a cybersecurity service provider for these tools is also beneficial due to the potential for threat sharing.
Third, organizations should seek local and regional networking opportunities for cybersecurity. This can be at levels such as board members developing policies or technical level for security staff to interact with peers. Perhaps the most important networking aspect is for threat sharing. Obviously most organizations cannot disclose details about a breach or tools employed, but there is a middle ground somewhere. This is often through a trusted third party such as common cybersecurity provider. It may be simply a matter of allowing the transmission of a new malware file or phishing email/url. To more people know about a threat, the better the chances of prevention. An ounce of prevention is worth a pound of cure.
Lastly, I will leave readers with a few bullet points that can help guide them. An organization that can accurately and consistently answer the following questions will be in a very good position to address cybersecurity issues and concerns.
- What or who is connected to your organization?
- What applications or processes are running in your organization ?
- Who has administrative rights?
- How are you continuously monitoring your organization?
- How are your tools working together to correlate, integrate and automate threat detection/prevention/containment?
As a side, note may I suggest that ICT-Pulse also start referring to cybersecurity as its own discipline – beyond a network/IT function? While seemingly a trivial detail it is an important one and change has to start somewhere. Why not have it start with the readers of ICT-Pulse?
Do you have any questions for Sean? Do you agree with his views? Let us know in the Comments section below.
Image credit: Yuri Samoilov (flickr); S. Slattery