Ransomware: To Pay or Not to Pay? And… How Not to Pay!

I very much enjoyed this amazing panel discussion with the brilliant Larry Whiteside Jr. and the thoughtful and engaging Andrew Hay. I also have to mention the excellent moderation by James Coker.

We discussed a range of topics from ransomware trends to cyber insurance to holistic incident response/disaster recovery to public-private partnerships in support of better overall industry response to ransomware attacks.

I hope the audience participants had as great a time as I did.

As soon as it becomes available, I will post the on-demand version here for easy access.

Finally, I want to extend my humblest thanks to Infosecurity Magazine for inviting me to speak at their Online Summit!

Caribbean Security & Resilience Awards Winners Announced

The winners of the 2021 Caribbean Security & Resilience Awards have been announced!

Congratulations to the other award recipients:

  1. Peter Bäckman (Dominican Republic)
  2. Kwailan M. Bridgewater (Trinidad & Tobago)
  3. Lysandra Capella (Curacao)
  4. Rosa Damaris Diaz de Tejada (Dominican Republic)
  5. Gavin Dennis (Jamaica)
  6. David Gittens (Barbados)
  7. Stevez Gomes (British Virgin Islands)
  8. Garth Gray (Jamaica)
  9. Norval West (Jamaica)

Deeply humbled to be in such esteemed company.

Thank you all for what you do day in and day out to keep the Caribbean region #cybersecure!!!!

The official announcement on the International Security Journal’s website can be found here.

Cloud Fundamentals Study Guide

The Information Systems Audit and Control Association (ISACA) just released the ‘Cloud Fundamentals Study Guide’ publication.

“The ‘Cloud Fundamentals Study Guide’ works through each aspect of cloud computing, its characteristics, common decision points, gaps and security vulnerabilities. It helps individuals prepare for the ISACA Fundamentals certificate exams, one of the components of the ISACA Certified in Emerging Technology certification program. I served as an Expert Reviewer on this project.

As a member of ISACA’s Emerging Technology Advisory Group, I served as an Expert Reviewer of this document.

I can’t fully explain the distinct pleasure that I derive from working with so many recognised and respected subject matter experts (SMEs) in the development of this type of content. We owe it to the next generation of IT risk management, audit & assurance, information security, and privacy professionals to provide them with the tools needed to aid their success. This is why we do what we do as ISACA volunteers!

You can access the ‘Cloud Fundamentals Study Guide’ through ISACA’s Bookstore.

Feature Address at the AFRALTI ‘Child Online Protection (COP) Virtual Workshop’

It was my distinct pleasure to be the featured speaker at today’s opening of AFRALTI’s ‘Child Online Protection (COP) Virtual Workshop.’

My presentation briefly touched on the importance of the following activities:

  1. Bringing multiple stakeholders together to create a safe and empowering online experience for children and young people
  2. Educating parents and educators to keep children safe online
  3. Ensuring that policymakers elaborate a legal framework that is adaptive, inclusive, and fit for purpose with regards to a fast-changing digital age to protect children online
  4. Ensuring that ICT and online industries understand their shared responsibility for securing cyberspace and commit to action

Based in Nairobi (Kenya), African Advanced Level Telecommunications Institute (AFRALTI) is an Inter-Governmental Institute established in 1991 to supplement and spearhead ICT development efforts mainly in English-speaking Africa. Currently the member States that have ratified the Intergovernmental Agreement (IGA) include Lesotho, Kenya, Malawi, Mozambique, Kingdom of Eswatini, Tanzania, Uganda and Zimbabwe, out of the 23 eligible members.

Incoming ISACA Board Features Experienced Leaders, Diverse Backgrounds

Deeply humbled to have been elected to the incoming Board of Directors for the Information Systems Audit and Control Association (ISACA).

The organisation has been instrumental in my career development and success, and I am looking forward to collaborating with this brilliant group of professionals and serving the dynamic and diverse ISACA community.

You can view the official announcement here: https://bit.ly/2QkW5S6

Comments on the National Identity Management Systems Act (2021)

Dr. Ronnie Yearwood and Niel Harper recently collaborated to provide expert comments on the National Identity Management System Act (2021) just passed by the Government of Barbados. Given that this piece of legislation was quickly passed with no opportunities for public debate or feedback, we felt it necessary to articulate and ventilate some of our key concerns with the statute in its current form.

GENERAL COMMENTS

Disability and Accessibility

  • In line with the obligations under the United Nations Convention on the Rights of Persons with Disabilities, there are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded.

Oversight and Liability

  • There is no mention of a supervisory and oversight body that ensures the digital ID system is used for its intended purposes (to prevent abuse and misuse), to audit and certify the digital ID provider and third-party trust services, to address complaints, and ultimately provide redress.
  • There is no mention of the liability to be assumed by the government or trust services providers to ensure due diligence, transparency and accountability of their operations and services related to the digital ID. The digital ID service provider (Government) and trust services providers should be liable for damage caused to any natural or legal person due to failure to implement robust privacy and security controls or otherwise disadvantage individuals via the delivery of the digital ID system.

Breach notification

  • The Act does not speak to data breach notification and the relationship between this statute and the Data Protection Act (2019) which is critically important.  Furthermore, the Office of the Data Commissioner does not have the staffing or capabilities to oversee the various activities related to large scale data collection and processing.

Comprehensive digital ID ecosystem

  • The Act does not comprehensively cover electronic signatures, electronic seals, time stamps, electronic documents, and website authentication. The legal effect of the above needs to be clearly defined to avoid confusion. Existing practices, standards and legislation exist that can be built upon to address these matters which are integral to a functional digital ID system. Without those features, the Government will essentially be replacing the existing physical ID cards and not truly realizing the value of a digital ID ecosystem that delivers identity, authentication and trust services.

Interoperability

  • The Act does not speak to an interoperability framework that guarantees the digital ID system is built using open standards and can be seamlessly integrated into national and cross-border digital identity ecosystems.

SPECIFIC COMMENTS

Discrimination and equality before the law

Section 5 (9) “A person who is a visitor shall not be eligible for registration in the National Register unless that person is a person to whom subsection (1) applies.

(Section 5(1) covers persons, for example born in Barbados or citizens of Barbados who “shall be registered in the National Register.”)

  • The point is that a person who is a visitor to Barbados shall not be eligible for registration in the National Register unless section 5(1) applies.
  • Is it that only Barbadians and persons resident in Barbados must register to gain access to public services (see section 5(10)) regarding the fact that if you are not registered under the Act you cannot get a national registration number, cannot be added to the electoral register to vote, cannot obtain a permit to drive, or qualify to access any goods or services requiring presentation of the ID?
  • This looks somewhat discriminatory because the same requirement does not seem to be placed on foreigners for any access to services. I have not seen a reason for this proposed by the government.

(Also see section 12(1) reads: “A person who is issued an identification card may be required to produce his identification card (c) for the purpose of voting in an election in Barbados; (d) for the purpose of accessing goods or services provided by the Government or the private sector… and that identification card shall be prima facie evidence of the identity of the person shown on the identification card…”)

Voter’s rights, registration and identification

Section 5(10)(d) “A person who is not registered under this Act shall not qualify to be added to the register of electors or the revised register of electors prepared under the Representation of the People Act, Cap. 12

Section 34(1) An identification card authorised under section 25 of the Representation of the People Act, Cap. 12 or under the Statistics Act, Cap. 192 shall remain valid for a period of 12 months from the date of the commencement of this Act.

  • Therefore, section 34(1) provides that an ID card under the Representation of the People Act shall only remain valid for 12 months from the commencement of the new ID law. When has the Act been commenced?

Section 12(1)(c) “A person who is issued an identification card may be required to produce his identification card for the purpose of voting in an election in Barbados.”

  • This needs clarification as there should be more than one valid piece of identification to enable voters’ rights […]

To read the full comments document, please click on this link.

You can also find a full copy of the ‘Barbados Identity Management Act’ here.

Too Many Unanswered Questions: The Barbados National Digital Identification (DID)

In September 2020, it was widely publicised that the Government of Barbados would be introducing a national digital identification (DID) card. As expected, the announcement and subsequent reports have included the usual public service rhetoric about shifting to a digital economy, delivering social benefits, increasing the efficiency of doing business, and transforming the country into an innovation hub. Putting this flowery political language aside, there are a number of questions that remain unanswered regarding the delivery of the DID project. Questions around clear policy objectives, economic value capture, social impact, technology standards and legal requirements that need to be addressed if Barbadians at-large are to truly profit from this initiative.

To be fair, a DID system represents innumerable benefits to the nation. It will serve as a key foundational element in transitioning to more accurate and efficient online delivery of government services (e-government), enhancing poverty alleviation and welfare services, reducing fraud, increasing financial inclusion, and serving national security interests.

However, without proper implementation, oversight and control, DID can inflict great harm on society, including the government or corporations profiting from the collection and storage of personal data, political manipulation of the electorate, social control of particular groups through surveillance, and restriction of access to uses such as payments, travel, and social media. Additionally, in the absence of a qualified and experienced project management team, it will most definitely be a ‘white elephant’ – a massive waste of public funds that does precious little to improve the lives of citizens. In the ensuing sections, I will provide a detailed analysis of critical risk areas that pertain to digital ID systems and what must be done to successfully alleviate them. 

To read the full article, please click on this link.

2021 ISACA Technology for Humanity Award

I have been selected as the recipient of the 2021 ISACA Technology for Humanity Award, with the citation:

“For contributions to capacity building across the world towards the development of affordable, open and user-centric Internet infrastructure.”

Since 2010, I have worked with organizations such as the Internet Society, Internet Engineering Task Force, Branson Centre for Entrepreneurship, United Nations, TEN Habitat, Google, NBCUniversal, IETF, European Commission, and others to lead, implement and/or support capacity building programs towards the implementation of open, affordable, secure and user-centric Internet infrastructure and applications in Africa, Asia-Pacific, Latin America & the Caribbean, and Europe.

This award recognises these contributions.

Hearty congratulations to all of the 2021 ISACA Global Achievements Award recipients!!!!

Blockchain Framework and Guidance

The Information Systems Audit and Control Association (ISACA) just released the ‘Blockchain Framework and Guidance’ publication.

“Blockchain Framework and Guidance provides an overview of blockchain, including history, types, benefits, features, concepts and use cases, and offers a framework for the adoption of blockchain technology across enterprises. The ISACA blockchain framework provides foundational information, practical guidance and proposed tools for proper blockchain implementation, governance, security, audit and assurance. The unique aspects of blockchain technology and the blockchain touchpoints with existing technology ecosystems are explained in detail. In addition, Blockchain Framework and Guidance maps existing technology implementation disciplines into the process of blockchain adoption.”

As a member of ISACA’s Emerging Technology Advisory Group, I served as an Expert Reviewer of this document.

You can access this excellent resource through ISACA’s Bookstore.

Why Linux is the Most Popular Operating System

If you engage in a discussion with the average IT professional about which operating system is the most popular, you will more than likely hear claims that Windows has more than a 75% market share. I argue that this is the furthest thing from the truth, and I will explain why below.

Linux operating systems are widely used in numerous software applications. From large scale social media platforms to gaming consoles to popular coding languages, it’s hard to avoid the use of Linux anywhere on the Internet. The integration of IoT, embedded systems and robotics in Linux has driven innovation across several industry verticals and is also fuelling increased market growth. Moreover, the availability of numerous open source codes and products will generate wider adoption across the world. The ongoing efforts taking place to replace conventional operating systems in the IT and telecom sectors with Linux-based systems has opened up massive growth potential for the overall market in the coming years. The increasing adoption of these systems in enterprise data centres and the explosion of data centre build-outs will have a huge impact on the growth of the market in the foreseeable future. But why is Linux so popular?

Price

What makes Linux attractive is the free and open source software (FOSS) licensing model. One of the most attractive elements offered by the OS is its price – totally free. Users can download current versions of hundreds of distributions. Businesses can supplement the free price with a support service if needed. Either way, there is no new hardware required. Another Linux benefit is the availability to download and run thousands of free, fully functional applications. In many cases, the quality of the software is equal or superior to well-known Windows applications.

Stability

This is a debatable point, and where I think Linux triumphs is because of its community. As Linux’s popularity grew, so did the number of developers and users involved in evolving the codebase. This army of highly competent and dedicated individuals has spent and continues to spend countless hours discovering and quickly correcting bugs, while also improving the code. The massive community support is in my opinion what makes Linux more stable and reliable.

Security

For the same reason underpinning its stability, Linux continues to be the most secure kernel currently running in production. When an exploit is discovered, it is immediately patched into the latest stable kernel and to all affected Long Term Supported (LTS) kernels. Taking cues from its UNIX predecessors, Linux was from the very beginning designed to be a multiuser operating system. This resulted in tighter permission and access controls for both users and applications. Consequently, attackers are pretty much disincentivized to write viruses or malware for the platform.

Support

While Linux and the operating systems using the kernel are free, supporting those operating systems typically requires companies and end users to pay for support subscriptions. As such, they are guaranteed to get the latest software technologies, hardware support and security patches integrated into their environment and onto their physical or virtual machines. They can also take advantage of the availability of many talented developers across the globe who can support their deployments.

All that sounds nice, but who really uses Linux anyway?

  • Android is Linux-based (there are currently more than 2.5 billion Android devices, representing 85% of the mobile market and 40% of all devices connected to the Internet)
  • AWS, Azure, Google, Rackspace and others use Linux to deliver their cloud services
  • Linux is running on most resource constrained devices, including IoT hardware and Raspberry Pi boards
  • A large percentage of home Internet routers run Linux
  • Telco networks are largely Linux-based (e.g. AT&T, Verizon, Nippon Telephone & Telegraph, China Mobile, Vodafone, Telefonica, etc.)
  • Science-based organizations, particularly those running supercomputers, rely on Linux (e.g. NASA, CERN, NOAA, universities, etc.)
  • The defence industry uses Linux to run submarines, ground control systems, radar, aircraft carriers, warships, etc.
  • Countries like the US, China, North Korea, Germany, Estonia, Iceland, Spain, India, Brazil, etc. use Linux in multiple public sector applications, especially for education, law enforcement, military, and e-government
  • National e-voting systems across the world predominantly use Linux
  • Embedded control systems for power utilities, water companies, manufacturing, auto assembly, etc. all use Linux
  • Most global stock exchanges run on Linux
  • Most in-flight entertainment systems run on Linux
  • Sabre, the ubiquitous airline reservation system, runs on Linux
  • Connected car systems run on Linux
  • The most innovative software such as OpenStack, Docker, Juju, Kubernetes, etc. were all designed initially to support Linux
  • Linux supports 32-bit and 64-bit x86, ARM, MIPS, SPARC, POWER microprocessors – making it highly portable
  • Linux runs on many types of obscure and outdated hardware

And the list can go on and on…

What are your thoughts on Linux?