MONA ICT Policy Centre

Transcription

1 MONA ICT Policy Centre 3rd National Cyber Security Conference Cyber Threats and Challenges Dr Louis Shallal, P.Eng. CIO GoJ Nov 17/18, 2015

2 Technology is Evolving Rapidly!

3 A Few Stats 1,000,000 People around the world are moving into cities each week; experts predict population in the world s cities will double by ,000 New cities will be needed worldwide

4 A Few Stats, already out of date! In One Internet Minute 10 M ads are displayed 3.3 Million pieces of content is shared 6.9 M messages are sent 4.1 M searches are conducted Source : Carnegie Mellon

5 A Few Stats 43 Percent $721 B transactions by 2017 of those aged 65+ and nearly two-thirds of year olds are now on Facebook Forecast growth for global market mobile payments - Gartner

6 The amount of data in the world is exploding. Again, these data are already out of date 2 Billion Internet users in 2011 By 2013, annual internet traffic will reach 667 Exabytes Google processes > 24 Petabytes of data in a single day Facebook processes 10 Terabytes of data every day Twitter processes 7 Terabytes of data every day 250,000,000 tweets The Hadron Collider at CERN generates 40 Terabytes of data / sec For every session, NY Stock Exchange captures 1 Terabyte of trade information 90% of the data in the world today has been created in the last two years.

7 The World is becoming massively sensorised 2.4 Billion People on the Internet 6 Billion Mobile phone subscribers globally 1 Trillion ed devices in the internet of things We collect information from almost everything! 7

8 A new computing model facilitates this brave new world Back Office Computing Client Server PC World Wide Web and ebusiness Confluence of Mobile, Social, Cloud, Big Data / Analytics 60 s 80 s 90 s We are here

9 Social Media I need not tell you of its pervasive role! It is Every Where Involves Almost Everyone Influences Behavior Prime tool of Communication Today

10 No Wonder. Fortune 500 CEO s now consider Technology the most important FACTOR to impact their organization here is the data from IBM

11

12 Unfortunately, Technology Also brought global issues. Cyber Security Global Realities : the financial sector most targeted by Cyber criminals: phishing, identity theft, fake bank apps. Child sexual abuse images Deployment of viruses, botnets and scams. Cost of these crimes >>> all drug trafficking

13 Social Networking Threats 13

14 Twitter Spam 14

15 Justin Timberlake 15

16 Not Funny!

17 Cyber Crime Stats US$1Billion Revenue from Cyber crime involving Identity theft Source : UN office of Drug and Crime

18 Future Outlook Web attacks will increase in sophistication and prevalence will gain more traction as a top vector for malicious attacks More Targeted attacks for intelligence gathering at country level Cyber WARS. Careful where your search results will take you Smartphones are hackers playground Governments will keep trying but one step behind 18

19 Lessons/Advice From ttech 1. Take a Risk Approach to Security Prioritize for a starting point / focus your resources 2. Identify Critical Assets 3. Understand your data flow where it originates / and ends 4. Determine appropriate controls Data are more valuable than servers 5. Move away from Check Box compliance thinking i.e. nothing done in between audits 6. Monitor and Review frequently 7. Have a Business Continuity and Disaster Recovery Plan

20 Challenges of Cyber Security It is a New paradigm for law enforcement. Trans-border nature of Cyber crime - thus international coordination and cooperation needed Role of the Private Sector including Banking & Telcos Role of the Academic Sector Training the next generation of experts

21 Tracing Jamaica Cyber Security Efforts GoJ role is to build trust and confidence in cyber space Child Pornography Act 2007 the Electronic Transaction Act promulgated 2009 the Digital Evidence and Cybercrime Unit office of Director of Public Prosecution 2010 Cybercrime Act Communication Forensics and Cybercrime Unit - JCF 2015 Cybercrime Act in line with international best practice addressing new cyber threats National Cyber Security Task Force (NCSTF) created Produced the National Cyber Security Strategy w/oas launched Jan 2015 Establishment of CIRT Cyber Incident Response Team Open Data & Data Protection Policy under preparation

22 We all have a role In Cyber Security GoJ Decision Makers (Ministers) PS Board MSTEM Legal and Enforcement International Relations Staff CIRT CIO Office egov J MIS Officers and directors HR Cyber Security Private Sector ICT Firms (hardware /software) Telcos Banking and Financial Institutions NGOs MEDIA Schools Universities Associations The Public

23 What Can We do about Cyber Security? we can do 4 things*: 1. Technical Measures 2. HR and Capacity Building; 3. Public Education and Awareness 4. Legal and Regulatory We all have a role * Source: The National Cyber Security Strategy

24 What Can We do about Cyber Security? 1 Technical Measures Jamaica wide: protection of critical infrastructures (IT &ICS*) MDA s; 3 Rs: Review security process including contracts for apps and hosting, due diligence & tools, RCA, Report egov Ja; Train & Exploit existing Security Resources to assist MDAs more CIO s Office; Enterprise Security Architecture, Chief Security Officer, ation Process to reduce points of failure (e.g consolidated data centres, centres of expertise, etc.) *ICS= Industrial Control Systems

25 The Enterprise Security Architecture Roadmap Extended Perimeter Remote Users The Internet Control Perimeter IDS Intrusion Detection Firewall Access Control Identity Management Malware Wireless LAN Other governments Resources Policy Management Scanning Branch Offices And Yards Single Sign-On Wireless Contractors and Consultants Radius / VLAN Policy Enforcement Virus Mobile Workers VPN Firewall Over Seas jurisdictions The Internet

26 Mobile Security These MUST be part of the Enterprise Security Architecture. We need these secure : why? Smartphone now used for: access to information, payments and service requests with integrated photo GIS tagging.

27 Key Mobile Security Issues to be addressed by CSO Chief Security Officer Security is important when: App handles user data App handles credit card data The app communicates with GoJ backend applications to networks using the highest level of security available Security needs to be tight at both ends: The mobile app & at the GoJ app Decide which GoJ apps the devices may access Define the websites and apps that devices may use Ensure that users who connect remotely from home or while traveling use VPNs and stipulate encryption Assign strong passwords periodically for access. Decide if mobile devices may dock and sync with GoJ PCs and ensure that the devices use security software Perform regular, essential maintenance especially backups

28 More Mobile Security Issues Security ICT experts say "consumerization" of mobile devices is a top problem. Secure Computing magazine reports that 75 percent of new cybercrime attacks target mobile applications. Security breaches are costly in work delays and possible stoppage, staff time lost, damage to reputation, lawsuits, and fines. Security risks will grow. Raise employee awareness. Most users know little about security risks and have a low tolerance for security controls prevent the physical theft & loss of devices to reduce security risks Get buy-in by communicating reasons to care: Mobile device security can protect employees' own private data and improve system performance

29 2 Capacity Building / CIRT/Background National ICT Policy 2011 identified CIRT (Cyber Incident Response Team) Mar 2013, MSTEM entered Agreement with ITU to establish CIRT and ITU provided GoJ with hardware and software as well as Training Hardware & Software from ITU is in egov Ja space We also obtained Some Hardware from OAS to supplement ITU OAS trained MIS Officers in Cyber Security back in Nov 2014.

30 National Cyber Security Strategy & CIRT All 4 components of Strategy: (Technical Measures; HR and Capacity Building; Legal and Regulatory and Public Education and Awareness) are being implemented by 4 sub-committees of the Cyber Security Task Force MSTEM Operationalized CIRT, naming Team members who commenced training this Aug for 4-6 months CIRT :Escalation Protocol / Policies & Procedures being developed ITU is providing Jamaica CIRT Portal, Open Source, training provided.

31 3 Public Awareness Minister Robinson has been leading the Awareness Campaign/ Met with the banking / financial sector and the telecommunication sectors Protect vulnerable groups (e.g. elderly & youth ) Entered into MOU with Stop, Think,! October was special GoJ/MSTEM started issuing bits and advisories as well as flyers and posters OAS - Cyber Security Awareness Campaign Toolkit, a good PDF reference

32 Public Awareness

33 Funny

34 4 Legal and Regulatory Ensuring that Jamaica is a safe place to do business Maintenance of effective legal framework and enforcement capability to investigate and prosecute cybercrime while protecting right of privacy Minister Robinson has been leading the charge on this as well 2015 Cyber Crime Act promulagted - Update of 2010 Act

35 Priority of Cyber Security ONE Last comment We must understand Cyber Security in the context of ALL Government Priorities For example

36 Aging Infrastructure requires government action Water Transport Energy Municipalities lose as much as 20% of their water through leaks. A major traffic jam in China caused gridlock for 60 miles and lasted ten days A blackout in the Northeast of the US affected over 55 million people.

37 The Battle with Cyber hackers and criminals goes on. But,. These are no excuses NOT to do our best for Cyber Security

38 Dr Louis Shallal CIO Jamaica