Bevil Wood­ing

Com­put­er hack­ing presents a very se­ri­ous risk to con­sumers, busi­ness­es and gov­ern­ments in the re­gion and around the world. Or­gan­i­sa­tions that are ill-pre­pared can suf­fer sig­nif­i­cant loss in time, pro­duc­tiv­i­ty, mon­ey, and con­sumer con­fi­dence.

Some peo­ple mis­tak­en­ly be­lieve that in­sti­tu­tions in de­vel­op­ing coun­tries with rel­a­tive­ly small economies are less like­ly to be a tar­get of at­tacks. In re­al­i­ty, as large en­ter­pris­es strength­en their net­work se­cu­ri­ty, hack­ers are in­creas­ing­ly fo­cus­ing on or­ga­ni­za­tions and busi­ness­es in emerg­ing mar­kets. This makes the Caribbean a very at­trac­tive lo­ca­tion for hack­ers.

Gre­go­ry Richard­son, net­work se­cu­ri­ty lead at Unit­ed States-based com­put­er se­cu­ri­ty firm 1337 Net­works, Inc, paint­ed a chill­ing pic­ture of the state of com­put­er se­cu­ri­ty in the Caribbean in a re­cent ad­dress to a spe­cial re­gion­al fo­rum for com­put­er pro­fes­sion­als or­gan­ised by the Caribbean Net­work Op­er­a­tors Group, (CaribNOG). Ac­cord­ing to Richard­son, or­gan­i­sa­tions in the re­gion and around the world are stor­ing and in­creas­ing amount in­for­ma­tion on com­put­er net­works. "There is a dan­ger­ous flip side to this ex­plo­sion in elec­tron­ic da­ta. As com­put­er net­works con­nect to the In­ter­net, they are sus­cep­ti­ble to at­tack and au­tho­rised ac­cess by mod­ern day dig­i­tal pi­rates of the Caribbean-com­put­er hack­ers." His state­ment should not come as a sur­prise to gov­ern­ments and busi­ness­es in the Caribbean. Com­put­er net­work hack­ing and cy­ber-at­tacks are clear and present dan­ger to Caribbean in­for­ma­tion se­cu­ri­ty.

Risky busi­ness

Com­put­er net­works have be­come a ba­sic and es­sen­tial part of do­ing busi­ness to­day in to­day's tech­nol­o­gy-dri­ven so­ci­ety. The Caribbean is one of the world's fastest grow­ing re­gions in terms of In­ter­net us­age. Over the last decade, the re­gion has de­vel­oped in­creas­ing re­liance dig­i­tal com­mu­ni­ca­tions for es­sen­tial ser­vices rang­ing from bor­der pro­tec­tion and dis­as­ter pre­pared­ness to fi­nan­cial trans­ac­tion pro­cess­ing, broad­cast­ing and day-to-day com­mu­ni­ca­tions. The re­gion is al­so the nexus for in­ter­na­tion­al­ly strate­gic com­mu­ni­ca­tions in­fra­struc­ture. This grow­ing de­pen­dence on dig­i­tal com­mu­ni­ca­tions in a re­gion with rel­a­tive­ly frag­ile in­fra­struc­ture, and out­mod­ed pol­i­cy and leg­isla­tive en­vi­ron­ment, cre­ates a high­er risk of at­tack. Risks in­clude dis­rup­tion of ser­vices, ex­po­sure of con­fi­den­tial in­for­ma­tion, cor­rup­tion of da­ta, le­gal li­a­bil­i­ty and dam­aged rep­u­ta­tion. Or­gan­i­sa­tions with a high pro­file or prof­it mar­gin have a much high­er risk of at­tack. For the Caribbean, this makes whole economies par­tic­u­lar­ly vul­ner­a­ble to cy­ber-at­tacks.

In­ac­tion not an op­tion

In­ter­na­tion­al and re­gion­al or­gan­i­sa­tions alike are there­fore pres­sur­ing Caribbean gov­ern­ments to pay greater at­ten­tion to cy­ber­se­cu­ri­ty is­sues. The In­ter­na­tion­al Telecom­mu­ni­ca­tions Union, the In­ter-Amer­i­can Com­mit­tee against Ter­ror­ism (CI­CTE), the Caribbean Telecom­mu­ni­ca­tions Union, the Caribbean Net­work Op­er­a­tors Group (CaribNOG), the Com­mon­wealth Telecom­mu­ni­ca­tions Or­gan­i­sa­tion (CTO) and the In­ter­net Cor­po­ra­tion for As­signed Names and Num­bers (ICANN) have all an­nounced plans and pro­grammes to cre­ate greater re­gion­al aware­ness and build re­gion­al de­fense ca­pac­i­ty. How­ev­er, for the most part, the re­gion­al ap­proach to cy­ber­se­cu­ri­ty re­mains frag­ment­ed. Gov­ern­ments and the pri­vate sec­tor are sim­ply not mov­ing with suf­fi­cient alacrity to ad­dress ex­ist­ing na­tion­al vul­ner­a­bil­i­ties or to de­fine a co­or­di­nat­ed re­gion­al de­fense strat­e­gy. In­ac­tion is not an op­tion. It is vi­tal­ly im­por­tant that or­gan­i­sa­tions and in­di­vid­u­als take the nec­es­sary steps to pro­tect their iden­ti­ties and to se­cure pri­vate and cor­po­rate da­ta. Even if at first look net­work se­cu­ri­ty might seem too com­plex, and tack­ling it might seem like too much work, or­gan­i­sa­tions should view com­put­er se­cu­ri­ty plan­ning as es­sen­tial as ac­count­ing, sales and ad­ver­tis­ing. In­stead of think­ing about com­put­er se­cu­ri­ty as a tech­ni­cal con­cern, or­gan­i­sa­tions should con­sid­er it a busi­ness con­ti­nu­ity is­sue. De­fend­ing gov­ern­ment, cor­po­rate and per­son­al net­works against at­tack re­quires con­stant vig­i­lance and ed­u­ca­tion. It al­so re­quires a co­or­di­nat­ed na­tion­al and re­gion­al ap­proach to cy­ber­se­cu­ri­ty. The good news is that is pos­si­ble to take a step-by-step ap­proach (See side­bar: Pro­tect­ing cor­po­rate net­works). Make no mis­take about it: the threat of cy­ber-at­tacks on Caribbean net­works is re­al. The Caribbean's re­sponse needs to be col­lab­o­ra­tive, co-or­di­nat­ed and sus­tained.

Pro­tect­ing cor­po­rate net­works

Al­though there is no recipe for guar­an­tee­ing the ab­solute se­cu­ri­ty of any net­work, there are some ba­sic guide­lines from CaribNOG that can pro­vide use­ful in­sur­ance to any or­gan­i­sa­tion.

Hard­en the soft­ware

Pro­duc­tiv­i­ty soft­ware, net­work soft­ware and the un­der­ly­ing op­er­at­ing sys­tem should be con­stant­ly be checked for se­cu­ri­ty is­sues. This is be­cause any soft­ware run­ning on the com­put­er can use shared re­sources or li­braries that har­bor vul­ner­a­bil­i­ties which could ex­pose your da­ta, per­son­al in­for­ma­tion and sys­tem process­es to ac­cess over your net­work. Check your soft­ware ven­dors' Web sites fre­quent­ly for se­cu­ri­ty up­dates, no­tices and soft­ware patch­es.

Strength­en the pass­words

Weak or blank pass­words are a pri­ma­ry en­try point for would-be hack­ers, and brute-force guess­ing of user pass­words on tar­get­ed sys­tems has be­come eas­i­er with each suc­ces­sive gen­er­a­tion of new and more pow­er­ful com­put­ers. New proces­sors along with im­proved dic­tio­nary-based guess­ing soft­ware dras­ti­cal­ly re­duce the time it takes to crack weak pass­words. Ad­min­is­tra­tors have to be dili­gent to en­force pass­word poli­cies that en­cour­age the use of longer pass­word lengths and the use of ASCII or nu­mer­ic char­ac­ters and non-dic­tio­nary based pass­words.

Man­age your ses­sions

Where fea­si­ble, ap­pli­ca­tions should be run in a non-priv­i­leged user se­cu­ri­ty con­text to re­duce the scope of dam­age if the ap­pli­ca­tion is com­pro­mised by a re­mote at­tack­er. As ap­pli­ca­tions mi­grate away from per­son­al com­put­ers to web ap­pli­ca­tion servers, there are wider threats to ses­sion con­nec­tions. These threats are in the form of ses­sion re­play and ses­sion hi­jack­ing, but can be mit­i­gat­ed by the use of net­work time­stamps and asym­met­ric ses­sion keys, which are nor­mal­ly im­ple­ment­ed us­ing SSL trans­port.

Back­up reg­u­lar­ly

Back­up you cor­po­rate da­ta repos­i­to­ries reg­u­lar­ly, and test them on a reg­u­lar ba­sis.

Bat­ten down the hatch­es

Re­duc­ing the at­tack sur­face area of ap­pli­ca­tions and ser­vices is one of the key strate­gies in re­duc­ing op­tions avail­able to a would-be at­tack­er. Each net­work ap­pli­ca­tion can serve as on open win­dow to com­pro­mis­ing and even­tu­al­ly ac­cess­ing da­ta. Bar­ring any spe­cif­ic need, all ports should be closed and ap­pli­ca­tions halt­ed when not in use.

De­fend the net­work

When­ev­er pos­si­ble, lay­er net­work de­fens­es by sep­a­rat­ing pub­lic fac­ing-net­work re­sources like web servers in a DMZ (de-mil­i­tarised zone) from your trust­ed as­sets, al­low­ing you place fur­ther re­stric­tions on net­work re­sources that are ac­ces­si­ble from the out­side. A fire­wall is a sin­gle point of con­trolled com­mu­ni­ca­tion be­tween trust­ed and un­trust­ed net­works. Fire­walls pro­tect against many In­ter­net pro­to­col-based at­tacks such as spoof­ing, ping flood­ing, and de­nial of ser­vice (DoS) at­tacks.

Fire­walls are al­so able to per­form key se­cu­ri­ty du­ties such as check­ing e-mail at­tach­ments for virus­es, fil­ter web-based traf­fic for un­known and dan­ger­ous ap­pli­ca­tion con­tent types, re­pel serv­er ex­ploits and per­form in­tru­sion de­tec­tion.

En­crypt sen­si­tive da­ta

To pro­tect sen­si­tive da­ta, com­put­ers files con­tain­ing pri­vate, pro­pri­etary or high­ly valu­able in­for­ma­tion should be en­crypt­ed. En­cryp­tion is the process of trans­form­ing da­ta so that it can on­ly be used by those who should have ac­cess to it. If a com­put­er is stolen or used by some­one with­out per­mis­sion, en­crypt­ed files and fold­ers will be in­ac­ces­si­ble. This is es­pe­cial­ly im­por­tant for mo­bile users whose abil­i­ty to move from place to place with their de­vices puts their da­ta in­to po­ten­tial­ly un­safe cir­cum­stances. Soft­ware ap­pli­ca­tions are avail­able that of­fer en­ter­prise-grade en­cryp­tion for mo­bile users, as well as desk­tops and net­work servers.

Ed­u­cate your users

The ed­u­cat­ed user is a se­cu­ri­ty pro­fes­sion­al's best friend, crit­i­cal in the en­force­ment of se­cu­ri­ty poli­cies and pro­ce­dures. So­cial en­gi­neer­ing, the term used when an at­tack­er takes ad­van­tage of user ig­no­rance, is still the most fre­quent way in which net­works are com­pro­mised. As such, user ed­u­ca­tion and aware­ness of trends are a crit­i­cal com­po­nent of im­ple­ment­ing an ef­fec­tive se­cu­ri­ty strat­e­gy. A writ­ten cor­po­rate se­cu­ri­ty pol­i­cy is al­so key to in­form­ing user be­hav­iour.

Bevil Wood­ing is an In­ter­net strate­gist with the US-based re­search firm,

Pack­et Clear­ing House and the chief knowl­edge of­fi­cer at Con­gress WBN, an in­ter­na­tion­al non-prof­it or­gan­i­sa­tion.

Fol­low on Twit­ter:

@bevil­wood­ing, and

Face­book: face­book.com/bevil­wood­ing