The UK seeks to enforce tougher standards on MSPs

The UK government is proposing new regulations to strengthen cyber resilience in the private sector. Their intention is to expand cybersecurity rules for critical infrastructure (CI) operators to include managed service providers (MSPs), more stringent breach notification requirements, and legislation to establish the UK Cyber Security Council as the standards development organization for the cybersecurity profession. This is a welcomed development, but more details about implementation and enforcement are needed.

MSPs are deeply integrated into the supply chains of several businesses, especially those organisations categorised as CI providers. They not only have privileged access to their customer’s infrastructure and applications, but also to the personal data of millions of citizens. A single breach of a MSP can potentially allow threat actors to compromise hundreds, even thousands of organisations. Additionally, the accompanying fallout from personal data leakage would have a serious impact in terms of impersonation, fraud, and other identity-based crimes. Poor risk management practises and weak security controls in MSPs can have dire consequences to national security and the economic prosperity of the UK.

Better cyber incident reporting, especially where mandated by law, has several positive effects. For one, it ensures that regulations keep pace with the evolving threat landscape to better protect consumers by allowing them to respond quicker to leaks of their information. It also provides certain guarantees that law enforcement agencies (LEAs) receive timely information to better model threats, mitigate the risks, prevent or lessen harm from breaches, and take action to reduce the likelihood of future attacks.

At a macro level, the new regulations are focused on strengthening the country’s cyber-resilience in response to growing supply chain and critical infrastructure attacks – this is essentially a public safety matter. It can provide security to UK citizens against the negative impacts of attacks on critical infrastructure providers such as financial services, telecoms, energy, food & agriculture, defence, manufacturing, and others. It also protects businesses in these key industries where the incapacitation or destruction of their assets, networks and systems would have a paralysing effect on the UK’s national security, economic security, national public health or safety, or any combination thereof.

Cybersecurity is a risk management discipline, and improvements in the overall assessment of risks and development of effective risk responses leads to better security posture. For example, ransomware attacks are very much preventable, yet many businesses don’t invest the time or resources to understand their risks/exposures and implement relevant controls such as data recovery processes, isolated backups, encryption at rest, and routine backup testing. I believe these new regulations can most definitely enhance risk management capabilities in MSPs and other CI operators to counteract a broad range of cyber attacks, including ransomware.

It is imperative that companies develop stronger capabilities around risk management. For one, they need to view cyber risks as business risks and recognise that the impacts range from financial (loss of revenue or drop in share price) to operational (business disruption) to reputation (loss of customer and shareholder confidence) and ultimately regulatory (fines or other penalties). Consequently, they will need to embed a risk culture and build risk management capacity across their enterprises, or face punitive regulatory measures.

A shocking percentage of businesses routinely ignore growing cyber threats, thinking that “it won’t happen to them.” And this isn’t just small to medium enterprises (SMEs), but also large businesses across critical sectors. Several of these organisations don’t have a dedicated cybersecurity leader or functional information security department, refuse to invest in much needed controls and capabilities, and regularly hide breaches from staff, customers, and investors. Without specifically calling out any companies, there are more than enough examples of massive breaches at major businesses to validate my points. The price of failing to act is way too high, and the government would be negligent to not introduce these new regulations.

ARIN 48 – Evolving Cybersecurity, Strategies for the New Normal

It was great participating in this panel discussion today, exploring the different ways law enforcement, international organizations, service providers, and standards development organizations are shifting their strategies to address an evolving threat landscape.

The cross-cutting theme that was evident in each presentation was COLLABORATION. More specifically, each panelist repeatedly emphasised the importance of cross-border, cross-sectoral collaboration in effectively combating cybercrime. 

It is essential that both businesses and governments anticipate and incentivise collaboration and accountability through strong public-private partnerships (PPPs), which will make it more difficult for threat actors to commit criminal acts online. For the private sector, it’s essential for business to enhance information-sharing relationships, within industry and with the public sector, to deliver a more all encompassing approach to incident response, threat management and disruption of cybercrime.Through collaboration and cooperation, and creating implementing mechanisms for information-sharing and tactical collaboration, the good guys will make successful inroads into the fight against global cybercrime.

Thanks to the American Registry for Internet Numbers (ARIN) for the opportunity to share my thoughts!

Ransomware: To Pay or Not to Pay? And… How Not to Pay!

I very much enjoyed this amazing panel discussion with the brilliant Larry Whiteside Jr. and the thoughtful and engaging Andrew Hay. I also have to mention the excellent moderation by James Coker.

We discussed a range of topics from ransomware trends to cyber insurance to holistic incident response/disaster recovery to public-private partnerships in support of better overall industry response to ransomware attacks.

I hope the audience participants had as great a time as I did.

Finally, I want to extend my humblest thanks to Infosecurity Magazine for inviting me to speak at their Online Summit!

The on-demand video of the session can be found here. Check it out!

Caribbean Security & Resilience Awards Winners Announced

The winners of the 2021 Caribbean Security & Resilience Awards have been announced!

Congratulations to the other award recipients:

  1. Peter Bäckman (Dominican Republic)
  2. Kwailan M. Bridgewater (Trinidad & Tobago)
  3. Lysandra Capella (Curacao)
  4. Rosa Damaris Diaz de Tejada (Dominican Republic)
  5. Gavin Dennis (Jamaica)
  6. David Gittens (Barbados)
  7. Stevez Gomes (British Virgin Islands)
  8. Garth Gray (Jamaica)
  9. Norval West (Jamaica)

I was quite surprised to be recognised for my contributions, and deeply humbled to be in such esteemed company.

Thank you all for what you do day in and day out to keep the Caribbean region #cybersecure!!!!

The official announcement on the International Security Journal’s website can be found here.

ARIN/CaribNOG Technical Community Forum

The COVID-19 pandemic continues to impact networks, economies and societies across the Caribbean. More than ever, keeping critical systems secure, resilient, and accessible is a collective responsibility. This year’s Forum presented the opportunity for participants to understand the role the American Registry for Internet Numbers (ARIN) and other Internet development focused organizations play in supporting critical Internet Infrastructure in the Caribbean. It also facilitated the networking of people necessary to truly support and strengthen our technical community in the region.

ARIN has been collaborating closely with CaribNOG, a volunteer-based network operators’ community, to strengthen technical capacity in the region. This forum assembled some of the leading experts in the region and from around the world to address the fourth staging of our Technical Community Forum.

As the first featured speaker, the topic of my address was ‘Global Cybersecurity Trends and Implications.’ I first discussed the global shortage of cyber security personnel and encouraged the Caribbean to focus on the development of cybersecurity experts to support local, regional, and global demand (and also as a key element of national cyber workforce development). I also touched on other topics such as developing cybersecurity programs with constrained budgets, coordination and cooperation towards increase security resilience, and how to stay on top of developments in an increasingly complex threat landscape.

Many thanks to ARIN and CaribNOG for their invitation to speak!

Cybersecurity: Risks, Progress and the Way Forward in Latin America & the Caribbean

I will be chairing this Global Cyber Forum on 21 October 2020, where we will be discussing the state of cybersecurity capacities and capabilities across the Caribbean region.

Our speaker will be Kerry-Ann Barrett, Cybersecurity Policy Specialist at the Organization of American States (OAS), where she offers technical assistance to Member States in the development and implementation of their national cyber security strategies as well as assists in the implementation of various technical projects with the OAS Cybersecurity Program.

The overall basis for the session will be the 2020 Cybersecurity Report prepared by the Inter-American Development Bank (IDB), Organization of American States (OAS), and the Global Cyber Security Capacity Centre, University of Oxford. Our discussions will focus on the progress made thus far across the Caribbean, and what steps are necessary to move to the next level, including key areas such as national cybersecurity strategies, related action plans, or other cybersecurity capacity-building programs.

Tune in for what will be an engaging and informative session!

Internet Infrastructure Security Guidelines for Africa

To facilitate implementation of the Convention, the African Union Commission (AUC) asked the Internet Society (ISOC) to jointly develop the Internet Infrastructure Security Guidelines for Africa. The Guidelines were created with contributions from regional and global Internet infrastructure security experts, government and CERT representatives, and network and ccTLD DNS operators. As one of the cybersecurity experts involved in the development of these Guidelines, I am proud and deeply humbled to have made a contribution.

The Guidelines emphasize the importance of the multistakeholder model and a collaborative security approach in protecting Internet infrastructure. The Guidelines put forward four essential principles of Internet infrastructure security: Awareness, Responsibility, Cooperation, and adherence to Fundamental Rights and Internet Properties.

These critical actions are tailored to the African cybersecurity environment’s unique features: a shortage of skilled human resources; limited resources (including financial) for governments and organizations to allocate for cyber security; limited levels of awareness of cyber security issues among stakeholders; and a general lack of awareness of the risks involved in the use of information and communication technologies (ICTs).

Only with ongoing multistakeholder efforts from the African Internet community can the continent overcome its challenges, embrace its opportunities, and become an Internet world leader.

6 Tips for Protecting Against Ransomware

The Internet Society has been closely monitoring the ransomware cyber-attacks that have been occurring over the last couple of days. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt, exploits a flaw in Microsoft Windows that was first reportedly discovered by the National Security Agency (NSA). A group of hackers leaked the code for exploiting this vulnerability earlier this year, and a fix or patch was available as far back as March 2017. Since Friday, 200,000 computers in 150 countries have been compromised using this exploit. The numbers are expected to grow exponentially as people settle back into their work routines and regular use of computer systems this week. As part of our continuing work in online trust and security, there are some key takeaways from this incident that we want to leave with our community.

Firstly, we want to highlight the extremely negative effects which government stockpiling of vulnerabilities and zero day attacks has on the overall security of the Internet. With over 60 countries known to be developing growing arsenals of cyber weapons, and with many of these exploits leaking into the public domain, the potential for widespread damage is a massive cause for concern. The impact is not only economic in terms of financial loss, but social in terms of how it impacts end user trust, and most importantly human in terms of loss of life (especially given that ransomware attacks have been focusing on hospitals). And with critical infrastructure like power plants, dams, and transportation systems being targeted in nation state cyber offensives, the threat to human life increases exponentially.

Secondly, it would appear that some hospitals are easy targets for ransomware attackers. Their systems house data that is critical to patient care and management, and many of these institutions don’t have the IT resources to support critical process areas like vulnerability management, patch management, business continuity management, etc. In general, hospitals are also now adapting to digital realities and a number of them are playing catchup with regards to cyber readiness. However, the aforementioned challenges are not unique to hospitals, and are faced by many small and medium enterprises (SMEs), and in several instances, large corporations. Individual users are also targeted based on their generally poor Internet hygiene or lack of security awareness.

We want to take this opportunity to emphasize the importance of good online security practices when accessing the Internet. So here are 6 basic tips for protecting against ransomware:

1. Employ strong, multi-layered endpoint security – Using endpoint security that can protect web browsing, control outbound traffic, protect system settings, proactively stop phishing attacks and continuously monitor for anomalous system behavior will allow for better protection of servers, laptops, tablets, and mobile devices.

2. Maintain regular backups of your critical data – Backups can help you to protect your data from more than just ransomware. Other risk events such as malware, theft, fire, flood or accidental deletion can all render your data unavailable. Be certain to encrypt your backed-up data so it can be effectively restored. Backups should also be stored at an offsite location isolated from the local network.

3. Do not open unsolicited emails or messages from unknown senders – Many ransomware variants are distributed through phishing attacks or email attachments. Increased mindfulness when handling ‘suspect’ emails can be effective in combating ransomware.

4. Patch your systems regularly – Patching your systems for vulnerabilities reduces the opportunities for hackers to infect you with ransomware. The fact that a patch was available for the WannaCrypt vulnerability since March highlights the somewhat lax attitude by organizations and individuals to keeping their system patches up to date. That being said, patch management is a complex activity and can impact the availability of key systems. Hence, thorough testing must be conducted to avoid unplanned downtime.

5. Disable macros if possible – Many forms of ransomware are distributed in Microsoft Office documents that attempt to trick users into enabling macros. There are a number of tools available that can limit to functionality of macros my preventing them from being enabled on files downloaded from the Internet.

6. Be aware and vigilant – For individuals, don’t assume that only techies need to know about all the recent malware and trends in online attacks. Subscribe to mailing lists that provide information on common vulnerabilities and exposures. In the case of organizations, developing an information security awareness program is an integral part of improving overall security posture.

Finally, we want to touch on the important work being done by the Online Trust Alliance (OTA), the Internet Society’s newest initiative. The OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship. With regards to preventing ransomware attacks, OTA has developed a number of industry best practices that address key threat areas such as email authentication and incident response. These are as follows:

Email Authentication: https://otalliance.org/resources/email-security

Domain-based Message Authentication, Reporting & Conformance (DMARC):https://otalliance.org/dmarc

Cyber Incident & Breach Response: https://otalliance.org/resources/cyber-incident-breach-response

Additional OTA best practices, resources and guidance to help enhance online safety, data security, privacy and brand protection can be found here.

The Spam Toolkit developed by the Internet Society also provides some guidance on addressing online threats.

The Internet Society is committed to the enhancement of online trust, and our work along this vein spans multiple areas. Our goal is to continue to provide our individual members, organizational members, chapters, partners, and other constituents with timely and relevant information and resources that equip and empower them to act.

My original blog article was published on the Internet Society website at: http://bit.ly/2qMuQ4U

Internet Infrastructure Security in Africa

The Internet is becoming critical infrastructure for Africa. Across the continent, Africans increasingly depend on the Internet to communicate, socialize, and most importantly to conduct their day-to-day jobs and activities. A major outage of the Internet infrastructure is a prevailing fear for network operators, governments and users alike. But, has Africa secured its Internet Infrastructure?

I just finished participating in a panel discussion titled ‘Internet Infrastructure Security in Africa’ at the African Internet Summit (AIS) in Gaborone, Botswana. We sought to identify the major security challenges facing the Internet infrastructure driving Africa’s digital economies. This panel is a precursor to my participation in developing guidelines that will serve African countries in their efforts to protect their Internet Infrastructure from present and future threats.

My speaking points were specifically about existing mechanisms to combat various threats, and the cooperation between key stakeholders to defend their organizations/countries from and ever changing threat landscape. I also described what types of structures were needed at the national and regional level based on best practices from around the world.