Computer hacking presents a very serious risk to consumers, businesses and governments in the region and around the world. Organisations that are ill-prepared can suffer significant loss in time, productivity, money, and consumer confidence.
Some people mistakenly believe that institutions in developing countries with relatively small economies are less likely to be a target of attacks. In reality, as large enterprises strengthen their network security, hackers are increasingly focusing on organizations and businesses in emerging markets. This makes the Caribbean a very attractive location for hackers.
Gregory Richardson, network security lead at United States-based computer security firm 1337 Networks, Inc, painted a chilling picture of the state of computer security in the Caribbean in a recent address to a special regional forum for computer professionals organised by the Caribbean Network Operators Group, (CaribNOG). According to Richardson, organisations in the region and around the world are storing and increasing amount information on computer networks. "There is a dangerous flip side to this explosion in electronic data. As computer networks connect to the Internet, they are susceptible to attack and authorised access by modern day digital pirates of the Caribbean-computer hackers." His statement should not come as a surprise to governments and businesses in the Caribbean. Computer network hacking and cyber-attacks are clear and present danger to Caribbean information security.
Computer networks have become a basic and essential part of doing business today in today's technology-driven society. The Caribbean is one of the world's fastest growing regions in terms of Internet usage. Over the last decade, the region has developed increasing reliance digital communications for essential services ranging from border protection and disaster preparedness to financial transaction processing, broadcasting and day-to-day communications. The region is also the nexus for internationally strategic communications infrastructure. This growing dependence on digital communications in a region with relatively fragile infrastructure, and outmoded policy and legislative environment, creates a higher risk of attack. Risks include disruption of services, exposure of confidential information, corruption of data, legal liability and damaged reputation. Organisations with a high profile or profit margin have a much higher risk of attack. For the Caribbean, this makes whole economies particularly vulnerable to cyber-attacks.
Inaction not an option
International and regional organisations alike are therefore pressuring Caribbean governments to pay greater attention to cybersecurity issues. The International Telecommunications Union, the Inter-American Committee against Terrorism (CICTE), the Caribbean Telecommunications Union, the Caribbean Network Operators Group (CaribNOG), the Commonwealth Telecommunications Organisation (CTO) and the Internet Corporation for Assigned Names and Numbers (ICANN) have all announced plans and programmes to create greater regional awareness and build regional defense capacity. However, for the most part, the regional approach to cybersecurity remains fragmented. Governments and the private sector are simply not moving with sufficient alacrity to address existing national vulnerabilities or to define a coordinated regional defense strategy. Inaction is not an option. It is vitally important that organisations and individuals take the necessary steps to protect their identities and to secure private and corporate data. Even if at first look network security might seem too complex, and tackling it might seem like too much work, organisations should view computer security planning as essential as accounting, sales and advertising. Instead of thinking about computer security as a technical concern, organisations should consider it a business continuity issue. Defending government, corporate and personal networks against attack requires constant vigilance and education. It also requires a coordinated national and regional approach to cybersecurity. The good news is that is possible to take a step-by-step approach (See sidebar: Protecting corporate networks). Make no mistake about it: the threat of cyber-attacks on Caribbean networks is real. The Caribbean's response needs to be collaborative, co-ordinated and sustained.
Protecting corporate networks
Although there is no recipe for guaranteeing the absolute security of any network, there are some basic guidelines from CaribNOG that can provide useful insurance to any organisation.
Harden the software
Productivity software, network software and the underlying operating system should be constantly be checked for security issues. This is because any software running on the computer can use shared resources or libraries that harbor vulnerabilities which could expose your data, personal information and system processes to access over your network. Check your software vendors' Web sites frequently for security updates, notices and software patches.
Strengthen the passwords
Weak or blank passwords are a primary entry point for would-be hackers, and brute-force guessing of user passwords on targeted systems has become easier with each successive generation of new and more powerful computers. New processors along with improved dictionary-based guessing software drastically reduce the time it takes to crack weak passwords. Administrators have to be diligent to enforce password policies that encourage the use of longer password lengths and the use of ASCII or numeric characters and non-dictionary based passwords.
Manage your sessions
Where feasible, applications should be run in a non-privileged user security context to reduce the scope of damage if the application is compromised by a remote attacker. As applications migrate away from personal computers to web application servers, there are wider threats to session connections. These threats are in the form of session replay and session hijacking, but can be mitigated by the use of network timestamps and asymmetric session keys, which are normally implemented using SSL transport.
Backup you corporate data repositories regularly, and test them on a regular basis.
Batten down the hatches
Reducing the attack surface area of applications and services is one of the key strategies in reducing options available to a would-be attacker. Each network application can serve as on open window to compromising and eventually accessing data. Barring any specific need, all ports should be closed and applications halted when not in use.
Defend the network
Whenever possible, layer network defenses by separating public facing-network resources like web servers in a DMZ (de-militarised zone) from your trusted assets, allowing you place further restrictions on network resources that are accessible from the outside. A firewall is a single point of controlled communication between trusted and untrusted networks. Firewalls protect against many Internet protocol-based attacks such as spoofing, ping flooding, and denial of service (DoS) attacks.
Firewalls are also able to perform key security duties such as checking e-mail attachments for viruses, filter web-based traffic for unknown and dangerous application content types, repel server exploits and perform intrusion detection.
Encrypt sensitive data
To protect sensitive data, computers files containing private, proprietary or highly valuable information should be encrypted. Encryption is the process of transforming data so that it can only be used by those who should have access to it. If a computer is stolen or used by someone without permission, encrypted files and folders will be inaccessible. This is especially important for mobile users whose ability to move from place to place with their devices puts their data into potentially unsafe circumstances. Software applications are available that offer enterprise-grade encryption for mobile users, as well as desktops and network servers.
Educate your users
The educated user is a security professional's best friend, critical in the enforcement of security policies and procedures. Social engineering, the term used when an attacker takes advantage of user ignorance, is still the most frequent way in which networks are compromised. As such, user education and awareness of trends are a critical component of implementing an effective security strategy. A written corporate security policy is also key to informing user behaviour.
Bevil Wooding is an Internet strategist with the US-based research firm,
Packet Clearing House and the chief knowledge officer at Congress WBN, an international non-profit organisation.
Follow on Twitter: