ICT Pulse: Niel, give us a quick recap of what have been the most prevalent types of incidents in Barbados and/or in the Caribbean region over the past year or so? How has the threat landscape changed?
Niel Harper: Michele, it’s always difficult to quantify or qualify the number and types of cyber incidents that occur in the Caribbean because there are no mandatory breach notifications or transparency obligations in the various jurisdictions across the region. As such, public and private sector organizations do not notify the general public or individual data subjects when networks or personal data stores are compromised (yes I have said this a number of times, but it is still relevant and quite important). That being said, ransomware attacks have been quite prevalent across the region, and particularly targeting hospitals, educational institutions, government systems, financial services, and small-to-medium enterprises with insufficient resources to adequately respond to cyber threats.
ICTP: Over the past year, ransomware incidents appeared to have been quite plentiful across the region. Are they still as huge a threat?
NH: On a regional (and global) scale, ransomware has continued to be the most persistent business model for cybercriminals. One of the key reasons that ransomware has remained a major threat is because the tools used to initiate attacks are being continuously evolved and improved. For example, there was an over 150% increase in new ransomware variants in the first half of 2016. Moreover, cybercriminals are now operating Ransomware-as-a-Service (RaaS) with lower buy-in costs that allow less tech-savvy perpetrators to distribute ransomware. And the success of ransomware attacks is high because related exploit kits have been popping up more and more on legitimate websites.
ICTP: What are some of the new and emerging threats of which we should be more aware? And are there any particular areas of concern that you have for Caribbean organizations?
NH: One of my biggest concerns with regards to new and emerging threats is that nation states are increasingly developing offensive cyber capabilities, essentially weaponizing exploits and actively eroding trust online through disproportionate mass surveillance, targeted attacks, and information manipulation (fake news). On the other hand, threat actors are ramping up attacks against hardware and firmware vulnerabilities in processors, DRAM technologies, BIOS, and in firmware on devices such as USB, chargers, and external hard drives. IoT malware is on the rise and threatening individual privacy via regular household appliances and consumer devices. In 2017, ransomware continues to grow, and malware authors are focusing their efforts on mobile devices — attacking data repositories both on devices and in the cloud. ‘Dronejacking’ has become a growing threat with a noticeable increase in attacks due to consumer drones shipping with weak protection mechanisms. While not necessarily a new or emerging threats, the pervasive insecurity of IoT devices is fueling the perpetual threat of DDoS attacks, especially against ISPs with unsecured services such as DNS and BGP. All of these threat areas should be of concern to Caribbean organizations and individuals due to increased use of Internet-enabled devices at home and in the workplace.
ICTP: At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and calls by leaders for something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in Barbados, and/or perhaps regionally? What might still be missing?
NH: I think the challenges with regards to cybercrime and cybersecurity are pretty constant across the Caribbean region — so I won’t just focus on Barbados. While I think that awareness is increasing, I am deeply concerned that the response to these issues across CARICOM and the broader region is (still) severely lacking. For one, the vast majority of the countries in the Caribbean do not have a national cyber crime strategy. This includes legislative reform (e.g. computer misuse, data protection, privacy, e-commerce, etc.), incident response capabilities, threat intelligence sharing, cybersecurity education & training, and other important elements. The HIPCAR project to harmonize regional cyber legislation ended around 2012, and most countries have still not updated their national laws. That being said, this may actually be an opportunity as the final outputs from the project were largely inadequate, and regional leaders should now be looking towards options like signing on to the Budapest Convention and/or modeling new data protection laws on the EU’s General Data Protection Regulations (GDPR).
ICTP: Does it even make sense for small companies to send their network administrators to security training courses when security is not their full-time job, and given the pace at which the security landscape is changing? Or should such companies just accept the fact that they need to outsource this function?
NH: This is a very good question. A network administrator is employed to oversee the smooth and effective running of the company’s system environment. However, this individual cannot successfully meet the demands of their job if the environment is not adequately secured. Hence, in my opinion, a top-tier network administrator should be trained on security to properly round off his/her capabilities and deliver real value to the organization. However, the tricky aspect is that small businesses generally can’t afford to hire network administrators with such a diverse skill set or to finance security-related training, so outsourcing then becomes the only viable alternative. But then outsourcing of such a sensitive role may not be cost-effective and bring with it an entire new set of risks. It’s somewhat of a Catch 22.
ICTP: Do you agree that user naiveté is the number one security threat facing organizations? If not, what do you think is the most significant threat?
NH: I strongly contend that end users remain one of the biggest threats to online security due to their lack of awareness, poor judgement and carelessness with password management, sharing devices with others, accessing unprotected and open public networks, downloading files and apps from untrusted sources, visiting unknown websites and clicking on fraudulent links. However… An increasingly connected society, coupled with a highly complex and constantly evolving threat environment, makes it extremely difficult for an inexperienced end user not to be the weakest link in the chain of trust. This is why end user awareness and training programs are so critical in combating cyber threats.
ICTP: Should any organization still be using tapes for data backup purposes?
NH: I totally understand why this question would be asked, especially given the widespread availability and popularity of alternatives like cloud backups, disk-to-disk backups, low-cost NAS backups, and others. However, I still think that tape backups should be used for a number of reasons. Firstly, newer LTO technologies are allowing for higher capacity, greater transfer rates, and lower total cost of ownership — SMEs generally can’t afford the large Internet pipes or expensive hardware/software required to support cloud and disk-to-disk backups. Tapes also have better reliability (error-rate) and longevity than disks. Additionally, tapes are highly portable with regards to moving them offsite to support disaster recovery. Tapes can also be combined with disk-to-disk or cloud backups to increase the robustness of disaster recover solutions (e.g. when Internet connectivity is unavailable or data center locations are inaccessible due to a major incidents). Other areas where tapes are superior to disks are scalability and backward compatibility.
ICTP: And finally, what are the top three (3) things businesses should be doing this year to improve their network/IT security?
NH: An important undertaking for organizations in 2017 should be to hire someone who has a strong skill set in the area of risk evaluation and management — an expert who can take a holistic look at the business to identify and qualify/quantify risk exposures and impacts, decide which risks can be accepted, and develop mitigating actions for those that can’t.
Secondly, businesses need to implement a toolset that provides them with greater visibility into security events and information throughout their IT environment. This should include logs and events from firewalls, intrusion detection/prevention systems, endpoint security, operating systems, network devices, databases, file integrity checkers, and data loss prevention or digital rights management solutions. IT personnel need to be able to identify anomalies across the organization, and proactively address intrusions before they occur or effectively detect and respond to those that have already happened.
Thirdly, businesses should rationalize and implement a cloud strategy (if they haven’t done so already). Cloud-based solutions provide a more affordable solution to traditional on-premise systems. And while they have their own distinct set of associated risks, cloud-based services have become increasingly more secure and reliable over the last couple of years. To ensure that they are well protected when migrating to cloud services, business must focus concerted attention on the service level requirements which their cloud partners must adhere to. Key areas such as jurisdiction, data ownership, security standards, availability, performance, data portability, right to audit, exit clauses, change management and problem management should not be neglected. A robust service level agreement (SLA) is pretty much an insurance policy when entering into a cloud services partnership.
The original interview can be found on the ICT Pulse website at: http://bit.ly/2oCxMzM