Tag: Cybersecurity

Cyber firms need to centre their own resilience

nielharper

I recently authored a piece for the ComputerWeekly.com Security Think Tank discussing incident response in the wake of the July CrowdStrike incident, and articulating my viewpoint about what CrowdStrike got wrong, what it did right, and next steps

“Information security is essentially an information risk management discipline. By rendering many information systems inoperable, the global outage precipitated by Crowdstrike prevented several companies from accessing critical business information due to unplanned and extended downtime.

The unavailability was not only to information systems, but also to related information processing. It was not only an information risk event, but it was also an information security incident. And the impact of the risk event/information security incident was high from operational, financial, reputation, legal, technological and even regulatory perspectives.”

The full article can be found at this link.

Cybersecurity Risks and Solutions in Outsourcing

nielharper

Q: How can generative AI be leveraged to enhance defensive capabilities and support the work of cybersecurity professionals?

A: AI and related features such as machine learning, natural language processing, data mining, predictive analytics, behavioral analytics, and automated decision-making can be used to recognize patterns and learn from past incidents, interpreting human language and democratizing security decision-making across relevant teams, extracting valuable patterns and insights from large datasets, forecasting potential threats based on historical data, monitoring and analyzing user behavior to detect anomalies, and enabling quicker, data-driven responses to identified threats.

Still, AI has become a buzzword recently and is by no means a panacea or replacement for good security practices. Cybersecurity professionals must still develop competencies in delivering the core basics of day-to-day operations—risk assessment, asset management, vulnerability management, security architecture, secure software development, identity and access management, audit logging and monitoring, etc.”

I very much enjoyed this interview with Hugo on third-party risk management (TPRM), especially around clarifying how strong TPRM controls can allow businesses to reap significant benefits from outsourcing key business processes (e.g., cost savings, leveraging specialised talent, productivity, scalability, optimisation of of advanced technologies, strengthening data security, increased global footprint, etc.).

You can view the full interview at this link.

The Lacework Modern CISO Network: Board Book

nielharper

“When boards fail to adequately oversee a growing risk with potentially catastrophic consequences, it’s a serious issue.

Yet, the problem remains — and often goes undetected.

Cybersecurity-related discussions in boardrooms sometimes seem to offer great promise; but in reality, they are unproductive sessions that lead to unfulfilled hopes. On the flip side, sometimes important issues are raised and directors do not sufficiently comprehend the matter under discussion. When board members do have technical knowledge, but are unfamiliar with both cybersecurity at the strategic level and the process of security oversight, boards seem to make other time-sucking errors that can create dangerous failures of oversight.

Finding board members who can successfully blend cybersecurity know-how with business acumen is not an easy task. According to the IANS Research report, just 14% of Russell 3000 CISOs have at least four out of the five ideal board candidate traits.

It is this challenge that this publication seeks to reconcile.”

The Modern CISO Network: Board Book offers boards a directory of experienced experts ready to advise and guide businesses as they navigate the complex world of cybersecurity. By arming companies with a diverse directory of CISOs and other cybersecurity leaders with relevant expertise both in terms of cybersecurity and business acumen, the board book will hopefully make it easier for companies to improve their resilience against modern-day threats.

Transitioning from a techie to a business leader is one the most valuable steps that a CIO or CISO can take, and provides immense value to both the individual in their professional journey and to the organization in terms of addressing pervasive business risks.

I am happy to be featured in the Board Book alongside some of the most outstanding board-ready CISOs in the world. I tip my hat to each and every one of them!

Essential skills for today’s threat analysts

nielharper

“Skilled threat hunters can play a dual role for organizations, hunting for threat actors as well as ensuring budget is directed at tools and technology that will bolster the hunting capabilities, according to the SANS 2023 Threat Hunting survey. However, a lack of skilled staff is hampering the success of threat hunting efforts, according to the global survey of 564 respondents drawn from SOC analysts, security managers and administrators.

Adding to the task, threat hunters themselves are seeking more training, education, and support from management, the survey has found. As CISOs look ahead to 2024 and the cybersecurity challenges it will bring, what do they need from threat hunting teams and how should threat hunters themselves look to strengthen their skill set?”

Threat analysts play crucial roles in cybersecurity. Without them, it is near impossible to obtain actionable intelligence on potential threats, and other security professionals like security architects and security engineers have no way to effectively focus their efforts.

Demand for threat analysts is also growing and many enterprises have decidedly made threat analysis one of their top security priorities.

It was great speaking to Rosalyn Page about the critical skills that threat analysts need to be successful. She asks the most probing questions and has brought together the insights of several professionals into a solid article.

Check out Rosalyn’s article here.

Comments on the Barbados Cybercrime Bill (2023)

nielharper

PART II – PROHIBITED CONDUCT

Illegal access

Part II (4) (1-2) is far too broad in its scope and can implicate innocent or well meaning individuals such as cybersecurity professionals, researchers, activists, and whistleblowers. It’s even more problematic where judicial officers aren’t trained to understand how to distinguish criminality from activities that serve the public interest, protect organizations, or advance the cybersecurity profession.* Certain guidance should be included with the legislation to distinguish between acceptable and criminal behaviours.

For example, the European Union (EU) General Data Protection Regulations (GDPR) includes 172 recitals – also known as preamble – that provides context and explains the reasons for the regulations. There was also an explanatory memorandum that provided further details on the proposed legislation.

Misuse of devices

Part II (9) (a-b) There are a number of dual use programmes and applications which can be and are used for both legitimate testing and protection of computer systems and conversely for malicious intent. There should be language here which acknowledges such and removes criminality in cases of ethical hacking for instance.

Disclosure of access codes

Part II (11) (1) There are several legitimate reasons for sharing access codes or credentials without authority, and this alone should not be illegal. The qualifier for criminality should be when the individual knowingly or has reason to believe that it is likely to cause loss, damage or injury to any person or property.

Critical information infrastructure system

Part II (12) (1) The list of critical information infrastructure (CII) systems is too limited in scope. A broader list should be published as an appendix or guidance note when the act is proclaimed (e.g., financial services, water utility, transportation, healthcare, hospitality, etc.). This should not be vague or left up to interpretation.

Note: Complementary critical infrastructure (CI) protection legislation is needed to ensure that:

  • There is a legal framework or a mechanism to identify operators of critical information infrastructure.
  • Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • Public sector organizations are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.

Malicious communications

Part II (19) (3) This is deeply problematic and can be used to stifle freedom of expression or valuable public commentary. It can also be leveraged to prevent criticisms of politicians/public personalities or for the purpose of political persecution. This same vague language exists in the Computer Misuse Act 2005, and has been improperly used for the same abuses identified. There must be safeguards and/or independent supervision in place to ensure that such vague clauses are not abused. This applies to several other elements of this Bill.**

Cyber bullying

Part II (20) (1) – Same as the previous comment.

Cyber terrorism

Part II (21) (1-2) This is too limited in scope and should include any use of computer systems for terrorism or organized crime. It should also include preparatory acts for terrorism or organized crimes (these are not the crimes themselves but the precipitating actions).

PART III – INVESTIGATION AND ENFORCEMENT

Search and seizure

Part III (23) (1-2) gives law enforcement excessively broad powers when it comes to confiscation and access to computer systems (including smaller form factors such as tablets and mobile phones). These types of powers require independent and effective oversight functions (as does this entire Act).

Assisting a police officer

Part III (24) (1-5) Some of the provisions in this section are concerning and can be used to force individuals to grant access to their personal devices, especially in the event that the grounds for disclosure have not been met. Again, this requires independent and effective oversight functions, and the oath of a police officer shouldn’t be enough to obtain a warrant that grants such far reaching powers.

Production of data for criminal proceedings

Part III (26) (1) This gives law enforcement excessively broad and intrusive surveillance powers when it comes to intercepting Internet communications, compelling service providers to handover subscriber data and Internet activity, and other potentially disproportionate collection or interception of online communications. These types of powers require independent and effective oversight functions. Again, the oath of a police officer shouldn’t be enough to obtain a warrant that allows for such intrusive acts.

Preservation of data for criminal proceedings

Part III (28) (1-3) There is no discussion of the conditions and safeguards for adequate protection of human rights and liberties when collecting and storing (preservation) data for criminal proceedings. This includes maintaining the “chain of custody”, protection of personal data in line with the Data Protection Act, handling of sensitive data, retention periods, adequate security measures, automated decisions (e.g., use of AI), sharing personal or sensitive data with third-parties, records of how data is accessed and used, etc. The provisions should also include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

General observations – Part III

Part III (Investigation and enforcement) is missing key provisions related to:

  • Joint investigations or joint investigation teams
  • Expert witness testimony by video conferencing
  • Emergency mutual assistance (which is different to expedited disclosure)

ALIGNMENT WITH THE BUDAPEST CONVENTION

2nd Protocol of the Budapest Convention

It is clear that the Cybercrime Bill was patterned after the Council of Europe’s (CoE) Budapest Convention, which has been deemed as outdated or deficient for several reasons. The Additional Protocol and the Second Additional Protocol of the Budapest Convention treat additional issues around racism, xenophobia, enhanced cooperation, and access to electronic evidence (e-evidence). The drafters of this Bill do not appear to have integrated the substantive updates from the additional protocols or consider the protections and safeguards required by the Budapest Convention to protect human rights. So it looks like the government is essentially looking to enact legislation that is outdated and not in step with current technology developments or evolving jurisprudence.

* Training of judicial officers, especially with regards to technology law and privacy law, is a major problem in the country. Because these specialist areas of law are emerging, there is poor understanding of the issues by magistrates, judges, prosecutors, etc. and limited case law to refer to locally or in other regional jurisdictions. Consequently, many rulings / decisions have flawed bases, and individuals are often under- or over-penalised.

** The Budapest Convention, on which the Cybercrime Bill is based has an accompanying 60-page explanatory report that specifies the additional checks and balances and rule of law-based environment that countries like Barbados should have underpinning their cybercrime legislation. The explanatory report also covers the background, scope, objectives, and main provisions of the Convention, as well as the challenges and opportunities of cybercrime.

The current version of the Cybercrime Bill (2023) can be found here: https://bit.ly/3uLrSQC

UPDATE: On 6 May 2024, I presented a more detailed critique of the Cybercrime Bill to the Parliamentary Joint Select Committee. The presentation can be found HERE.

How municipalities are dealing with being low-hanging targets for hackers

nielharper

“On cybersecurity veteran Niel Harper’s first day as virtual CISO at a municipal agency, he was thrown immediately into the reality in which cities and town administrations find themselves today — under threat and scrambling to find the resources to fight back.

The new organization, which he asked not to be named for security reasons, came under a massive ransomware attack that encrypted the entire production environment in a matter of hours. The attackers compromised the network via a weak administrative password, encrypted all servers and storage systems, and reset the backup servers to factory settings. “The client had no response plan in place, so I had to build one on the fly,” he says. “I used that experience to create a detailed incident response plan with roles and responsibilities, and then followed up with annual desktop attack simulations.””

Local governments, much like hospitals, schools, and municipal water authorities, are “low-hanging fruit” – organizations that lack the resources to effectively defend themselves against routine cyberattacks, never mind an advanced persistent threat (APT). For threat actors targeting under-resourced local governments, the goal is not necessarily financial reward but instead to broadly disrupt society at the municipal level. A number of successful cyberattacks have severely impacted local governments in recent years. These include attacks on targets ranging from 911 call centres to public school systems to community clinics. The consequences of a successful cyberattack against local government can be debilitating.

Myself and other cybersecurity leaders recently spoke to Deb Radcliff at CSO Online about what local governments can do to better defend themselves against online threat actors, including enhancing recruitment, leveraging available resources from national cybersecurity agencies, and building incident response capabilities, among others.

Check it out!

ISACA Board Director Niel Harper Secures a Role on the Professional Standards Working Group of UK Cyber Security Council

nielharper

“The UK Cyber Security Council has announced that Niel Harper, a cybersecurity executive and member of the ISACA Board of Directors, has secured a role in its Professional Standards Working Group. This appointment is an important recognition of Harper’s expertise and contributions to the field of cybersecurity.”

Workforce development is critically important to the security and resilience of nation states (and organizations as a matter of fact). There is diversity in the breadth and depth of cyber security skills required across government. These include deep technical skills and the non-technical cyber security skills that are needed across other specialisms and professions, such as digital, policy, commercial and assurance.

Guided by the standards and pathways established by the UK Cyber Security Council, the UK government will develop its understanding of the range of cyber security skills and knowledge required across government and will respond accordingly, ensuring that its workforce is inclusive and diverse.

I am honoured to have been chosen to join the Professional Standards Working Group of the UK Cyber Security Council. Collaborating with top experts in the field to shape the future of cybersecurity standards in the UK is an exciting opportunity.

Regulating AI Tech is No Longer an Option: It’s a Must!

nielharper

“Responsible, ethical use of AI is the key. From a corporate perspective, business leaders need to articulate why they are planning to use AI and how it will benefit individuals. Companies should develop policies and standards for monitoring algorithms and enhancing data governance and be transparent with the results of AI algorithms. Corporate leadership should establish and define company values and AI guidelines, creating frameworks for determining acceptable uses of AI technologies.

Achieving the delicate balance between innovation and human-centered design is the optimal approach for developing responsible technology and guaranteeing that AI delivers on its promise for this and future generations. Discussions of the risks and harms of artificial intelligence should always be front and center, so leaders can find solutions to deliver the technology with human, social and economic benefits as core underlying principles.”

I recently wrote a short piece on the ISACA Now Blog explaining why a robust framework of laws and regulations are needed for the potential of “AI” to be truly realised.

Check it out and let me know your thoughts!

Digital ID Explained: Pros, Cons, and “Should I get the Trident ID card?”

nielharper

PURPOSE

I continue to receive countless questions from various walks of Bajan society about the Trident ID card and the national digital ID program. This is stark evidence that the Government of Barbados HAS NOT done an adequate and effective job of alleviating the concerns of the public. As such, I wanted to clarify once and for all the pros and cons of digital ID systems, and answer the million dollar question I am repeatedly asked, “Should I get the Trident ID card?”

INTRODUCTION

Digital identity (ID) has become the topic of the moment in Barbados, given the government’s poor implementation, failure to address the fears and anxieties of the public, and generally ineffectual communication to the average person on the street as to why they need digital ID and what value it will bring to their lives. The government has set out to provide a single digital identity to all residents/citizens through the collection, storage, and use of their biographic data (e.g., name, address, date of birth, gender, national registration number, etc.) and possibly their biometrics (e.g., fingerprints, iris scans, facial scans, etc.) as the primary means of establishing and verifying their identity. They will achieve this through a legally mandated, centralised national digital ID system.

Governments, international organizations, and multilateral banks (e.g., International Monetary Fund, World Bank, etc.) argue that digital ID systems provide benefits such as more effective and efficient delivery of government services; poverty reduction and welfare programs; financial inclusion through better access to banking and other products/services; minimise corruption; and preservation of national security interests. Multilateral banks are providing significant funding to developing countries to implement digital ID. In some cases, they’re even making the implementation of digital ID systems a ‘condition’ of loan agreements.

Critics maintain that digital ID systems may actually not guarantee more effective access to social and economic benefits, enhance service delivery, or improve governance, while at the same time, they raise serious issues, including worries about how they are developed and managed; social exclusion and discrimination; privacy and data protection; cybersecurity; and major risks for human rightsWith regards to human rights, they threaten the right to privacy, freedom of movement, freedom of expression, and other protected rights. Additionally, since they usually involve the creation and maintenance of centralised databases of sensitive personal data, they are also prone to breaches by hackers or abuse/misuse by government institutions. These issues may lead to digital IDs becoming widespread tools for identification, surveillance, persecution, discrimination, and control, especially where identities are linked to biometrics and made mandatory. 

For a more detailed explanation of both sides of the debate, please see below the PROS and CONS related to digital ID systems.

PROS

Easier access to services: digital ID systems can enable more efficient digital transformation across the local economy and increase Barbados’  participation in the global digital economy, especially given that many transactions – local and international – require personal identification. With Barbadians presented with less obstacles to prove their identity, commercial activities (including e-commerce) and government services (including e-government) become more accessible and effective.

Faster and cheaper transactions: the use of digital ID can allow for reductions in costs and response times, resulting in speedier execution, less red tape, and the availability of more responsive and relevant services. The quickness and trust with which a person’s identification can be verified allows for cheaper and more efficient interactions for all involved.

Fraud reduction: digital ID systems can offer several benefits in terms of online security, thus reducing the occurrence of online scams, fraud, and personal data breaches. A number of countries that have implemented digital ID have experienced significant decreases in fraud, saving them tens and even hundreds of millions of dollars.

The graphic below outlines several ways in which digital ID can be used based on the roles played by organizations and individuals (Source: McKinsey).

The four (4) main areas of direct economic value for individuals have been identified as increased access to financial services, improved employment opportunities, greater agricultural productivity, and time savings. The five (5) highest sources of value for institutions – both the private and public sectors – are cost savings, fraud prevention, increased revenues from goods and services, improved employee productivity, and higher tax revenues.

CONS

Privacy and security: digital ID systems process billions of data points of our private information, regularly without our consent or knowledge. This information can include biographic details (NGN, date of birth, gender), biometrics (facial recognition, iris scans, fingerprints), banking and transactional data, and location-based info when digital ID is used for example in public transportation (the government has expressed plans to use the Trident ID for cashless payments on buses). The centralisation of so much data, excessive sharing of personal data without user consent, inability to control your personal data, exposure to cyber attacks and data breaches, and in worst case scenarios – mass surveillance by corporations and governments – are all issues which show the potential negative impact of digital ID.

Discrimination, biases and exclusion: the Barbados Digital Identity Act has a number of clauses which generate concerns about discrimination and exclusion. The Act states in several places that the digital ID will be required for persons to be added to the register of voters, to vote in elections, to access public and private services, and to obtain a driver’s license. There are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded (e.g., the Trident ID website currently DOES NOT have several accessibility features for the disabled). Digital ID technologies are also at the end of the day developed by humans, and through poorly designed algorithms and data analytics, can reinforce their biases. Discrimination against key communities such as immigrants, LGBTQ+, homeless, and the disabled, among others have been highlighted in many digital ID related studies globally.

Technical errors: unintended consequences can occur that lead to restricted access to critical services (e.g., failures in authentication at points of service with no redundancy; websites that aren’t user friendly or stable; duplicate or inaccurate records; inability to add essential information; or the lack of reliable technical support, etc.). The government must fully consider availability risks and identify user-centric and privacy-enabling solutions to mitigate them. In African and Asian countries, numerous instances of technical errors were uncovered which presented citizens with major challenges.

Deployment challenges: five key problems exist, which are the lack of funding to maintain secure cyber systems and to hire or retain critical human resources to administer them; unequal access to mobile Internet and smartphones – the technology with the most potential to drive the uptake of digital ID; dependency on a specific technology or vendor; low trust in government; and the difficulty of rolling out in rural areas.

SHOULD YOU GET THE TRIDENT ID CARD?

As I have stated before, my concern is not particularly with the Trident ID card. The card is only one small piece of the overall digital ID ecosystem. My biggest concerns are as follows:

Poor legislation underpinning the digital ID system: Digital ID must be supported by a legal and regulatory framework that supports trust in the system, prevents abuse such as warrantless and disproportionate surveillance, guarantees data privacy and security, prevents discrimination, and maintains provider (government and corporations) accountability. This includes laws for digital ID management along with laws and regulations for e-government, privacy and data protection, computer misuse, data sovereignty/localisation, electronic transactions, limited-purpose ID systems, accreditation of participants, and freedom of information, among others. Unfortunately, a number of these laws are not available in Barbados at this time, and where they are, the language is problematic, enforcement is deeply lacking, or the legislation is outdated.

Government’s atrocious record in terms of protecting IT systems and the personal data privacy of individuals: The Government of Barbados DOES NOT have the resources (people, processes, or technologies) to secure complex IT systems and provide consistent privacy-enabling solutions. If they did, there would not be so many successful cyber-attacks and data breaches of government online systems in recent years (e.g., Queen Elizabeth Hospital, Ministry of Information and Smart Technology, Immigration Department, Barbados Police Service, and many others). Until government invests significantly in building their capacity in these areas, their IT systems and the personal data of Barbadians will be AT RISK.

The communication (or lack of) by government addressing the public angst around their digital ID program: Government has not effectively articulated the benefits of digital ID, its value to the average person on the street (in real and meaningful terms), its potential disadvantages and risks, what they are doing to manage these risks, and what Barbadians can do to protect themselves. Instead they have chosen to evade questions, avoid public discussion with experts involved, and turn their resources towards attacking private citizens who are expressing concerns.

In 2018, I conducted a European Union (EU) cybersecurity assessment for the the Government of Barbados. In the report, I clearly stated:

Trust in the Internet and in the use of online services is critical to developing a thriving local Internet economy and to participating widely in the global digital economy. Low trust in the Internet, e-government services, and e-commerce services hampers the government, businesses and consumers from fully taking advantage of all the economic benefits the Internet has to offer. Given the high fixed broadband and mobile data penetration rates in Barbados, this is especially concerning.

European Union Consultancy to Develop a Government Cybersecurity Assessment and Strategic Roadmap – Cybersecurity Assessment Report (Authored by Niel Harper)

From 2018 to this present day, the government has failed to address the low levels of trust or their lack of expertise in delivering secure and privacy respecting IT solutions, all of which are undoubtedly preventing them from delivering their digital transformation and modernisation agenda (including the implementation of the digital ID).

Ultimately, Barbadians need to decide for themselves if the value of obtaining the Trident ID outweighs the associated risks. I cannot make this decision for anyone. All I can do is educate and build awareness, and try to put some pressure on the government to be more accountable and take greater responsibility for protecting citizens from the negative effects of digital ID, mass personal data processing, cyber attacks and data breaches, human rights violations, online fraud, and other harms resulting from widespread government use of information and communication technologies (ICTs).

ADDITIONAL RESOURCES

FACT CHECK: The Electoral and Boundaries Commission’s Response

Why the Barbados Election Least Data Leak is Problematic – And How It Could Have Been Prevented

Comments on the National Identity Management System Act

Too Many Unanswered Questions: The Barbados National Digital Identification

Creating a good ID system presents risks and challenges, but there are common success factors

What is a digital identity ecosystem?

Understanding the risks of Digital IDs

12 steps to building a top-notch vulnerability management program

nielharper

Along with my peer CISOs, I recently added my $0.02 to a CSO Online article on how to get the best results out of an enterprise vulnerability management program.

I particularly wanted to zoom in on key performance indicators (KPIs), given this is an area where many security professionals don’t focus enough of their attention.

“He says organizations could use any of the commonly used key performance indicators—such as percentage of critical vulnerabilities remediated on time and percentage of critical vulnerabilities not remediated on time—to measure current state and track improvement over time.

Other KPIs to use could include percentage of assets inventoried, time to detect, mean time to repair, number of incidents due to vulnerabilities, vulnerability re-open rate and number of exceptions granted.”

What are some of your key focus areas?