Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Achieving Caribbean Cybersecuirty


Published on

A look at why Caribbean cyber security is important, Caribbean experiences achieving cyber security, why an effective strategy is critical and the importance of an effective Information Governance strategy.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Achieving Caribbean Cybersecuirty

  1. 1. Achieving Caribbean Cyber Security Shiva Bissessar, BSc (Hons), MBA, MSc Managing & Technical Director Pinaka Technology Solutions @Beascycle
  2. 2. • 17 years ICT experience, 5 of which in Senior Professional roles delivering major Telecommunications and Information Security projects. • 2008: Founding member of Information Security focused Organizational Unit. Established digital forensics lab, had oversight of vulnerability analysis and penetration testing, assisted policy development process. • M.Sc. Information Security comes from University College London • Information Security Advisory & ICT Programme Management In Brief
  3. 3. The Caribbean Is Immune…Is it? • Feb 2014: NGC issues Invitation to prequalify document for Audit Services citing: “Information and Communication Technology, Systems and Controls review” and “CYBERCrime” (Trinidad) • Nov 2013: TSTT issues Network & Session Initiation Protocol (SIP) Security Audit RFP. Prior news reports speak to several mobile and bypass fraud activities (Trinidad) • Nov 2013: Flow identifies cybersecurity as a major threat (Jamaica) • Mar 2012: LIME Internet infrastructure attacked (Barbados)
  4. 4. DDoS Activity: Destination TT, Dec 26th 2013
  5. 5. TT Parliament Website hacked, April 2012 “Greatz to admin, Your website hacked due to security vulnerabilities, patch your website, keep it updated. Don’t worry all your files and your database are still here. This is a warning, what other hackers can do to your website. Keep it in mind,” CoD3X
  6. 6. What is Cyber Security? Source: Adapted from ISO, ISO/IEC FCD 27032, Information technology—Security techniques—Guidelines for cybersecurity, May, 2011.
  7. 7. Cybercrime & Developing Economies McAfee Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime II • Cybercrime produces high returns at low risk and (relatively) low cost for the hackers. • Most cybercrime incidents go unreported. Few of the biggest cybercriminals have been caught or even identified. • High-income countries loss averaged 0.9% GDP & developing economies loss averaged 0.2% of GDP • Trend can shift as developing economies increase their access to and use of the internet for commercial purposes and as cybercriminals continue to refocus their activities onto mobile platforms • Wealthier countries are more attractive targets for hackers but they also have better defenses. Developing economies are more vulnerable. • Strong correlations between national income levels and losses from cybercrime since risk for cybercriminals is the same (rich or poor target)
  8. 8. Varying Levels of Caribbean Readiness • International bodies incl. OAS, ITU, Commonwealth Cybercrime Initiative (CCI), are ready and willing to assist, however there seems to be a lack of corresponding urgency or inability to receive such assistance, on behalf of Caribbean governments. Lack of cyber security champions on board! • There is an undertow of dissatisfaction with the model law documents produced from EGRIP and HIPCAR exercises. This is not only at the technical level! • Dominica novel approach to seek guidance from CCI in executing a Cyber-security Needs Assessment Workshop and ensure legislative efforts and Cybercrime Strategy is in accordance with Budapest Convention on Cybercrime.
  9. 9. Authoritative Sources of Information • 2012: OAS, CICTE & CTU Cyber Security Framework Very digestible providing short, medium & long- term prioritization of recommendations towards implementation for Caribbean • 2014: OAS/Symantec Cyber Security trends & development in 13 CARICOM states • 2012: UNESCAP / ACPiCT, General Understanding of Cyber Security • 2011: ITU Comprehensive Cyber Security National Strategy guide • CTO website: National Cyber Security strategies from various countries • 2013: UNODC Comprehensive Study on Cybercrime
  10. 10. CARICOM Cyber Security Impediments Member Recognition Strategy, Policy Legislation CSIRT Funding People Capacity Building Awareness Ant. & Barbuda X X X X Barbados X Dominica X X X Grenada X Guyana X X X Hati X X Jamaica X X X St. Kitts & Nevis X X X STVG Suriname X X X X X TTO X X X X Distilled from: OAS/Symantec Latin American + Caribbean Cyber Security Trends, June 2014
  11. 11. • National Cyber Security Strategy (NCSS) • Framework, Agenda, Strategy, Policy • Legislation • Council of Europe Budapest Convention • Cybercrime Unit • Digital forensics, investigations cybercrime • CSIRT • Collaboration, partnerships, communication within CSIRT network • Capacity building • Awareness • Child protection, cyber security, phishing, email security etc • Education • Availability of tertiary education in area of Information Security • Info Sharing, Incident Reporting • Legal obligation to report incidents • Information sharing between private sector and Government • Statistics & Benchmarking • International Assistance • OAS, CTU, CICTE • ITU, Commonwealth Secretariat, CCI, IMPACS Common Themes in Cyber Security Development
  12. 12. Current legislative approach working?
  13. 13. Missing Components • Lack of technical expertise (capacity building only after the fact) • The Cybersecuirty champion (need someone to drive the local/regional effort) • Intersection between Policy and Technology gap to be filled • Private sector involvement (lots to learn from private sector her
  14. 14. Proposed Cyber Security NCCS Aims & Structure Structure 1) Executive summary. 2) Introduction. 3) Strategic national vision on cyber security. 4) Relationship of the NCSS with other strategies, both national and international, and existing legal frameworks. 5) Guidance principles. 6) Relationship with other strategies, both national and international, and existing legal frameworks. 7) Cyber security objective(s), preferably one to four. 8) Outline of the tactical action lines. 9) Glossary, preferably based on an international harmonised set of definitions. 10) [Optional] Annex. Envisioned operational activities defined in a SMART way Aims 1) To align the whole of government 2)To coherently focus and coordinate public and private planning and to convey the envisioned roles, responsibilities and relationships between all stakeholders 3) To convey one’s national intent to other nations and stakeholders. Luiijf, Eric, Kim Besseling, and Patrick De Graaf. "Nineteen national cyber security strategies." International journal of critical infrastructures 9, no. 1 (2013): 3-31.
  15. 15. Noteworthy NCSS Vision, Objectives & Principles Nation Statement Vision Estonia Advocates international cooperation and supports the enhancement of cyber security in other countries 8 nations Economic prosperity of the digital society including AUS, GER, UK, IND , JPN , UGA Objective France Stated ambition to become a world power in cyber security and maintain information superiority within cyberspace Japan Explicitly recognizes the need for agile adaption to new and upcoming cyber security threats including IPv6, appliances & cloud computing UK Use of intelligence on adverse actors to disrupt cyber crime and to reduce the motivation and capabilities of cyberspace adversaries Guiding Principles 8 nations Civil liberties and other (inter)national democratic core values 8 nations Cooperation and public-private partnerships (PPP) All nations explicitly address protection of their own CIs including the government’s own ICT (except Uganda) All nations but mention plan to develop a cyber security awareness programme. (except South Africa) Luiijf, Eric, Kim Besseling, and Patrick De Graaf. "Nineteen national cyber security strategies." International journal of critical infrastructures 9, no. 1 (2013): 3-31.
  16. 16. TT Cybercrime Bill 2014, §23 "Offence by body corporate" Where a body corporate commits an offence under this Act and the Court is satisfied that a director, manager, secretary or other similar officer of the body corporate, or any person who purports to act in such capacity– (a) connived in or consented to the commission of the offence; or (b) failed to exercise due diligence to prevent the commission of the offence, the director, manager, secretary or other similar officer or person purporting to act in that capacity also commits the offence.
  17. 17. Information Security Governance Required • This now places responsibility and accountability on an individual within the organization to ensure that said organizations’ ICT infrastructure, processes and people do not pose a threat to the public network and its constituents which also includes “critical infrastructure” elements.
  18. 18. I’m Safe…Bought Latest Hardware Solution
  19. 19. Securing People and Processes • Information Security must become part of Risk Management strategy. • Senior/Executive management must have oversight and be responsible for the Information Security Governance. • Information Security must be properly aligned with organizational structure and organizational behaviour. • Information Security specific roles • Change user behaviours to foster culture of Information Security.
  20. 20. Securing People and Processes • Information Security at design stage of project’s System Development Life Cycle • Continuous awareness of the evolution of external (and internal) threats. • When incidents do occur proper escalation procedures and remediation efforts need to be put in place. • Controls and response in accordance with International Information Security standards such as ISO 27001 (2013).
  21. 21. Shiva Bissessar, BSc (Hons), MBA, MSc Managing & Technical Director Pinaka Technology Solutions @Beascycle 18686785078