The need for developing a cyber security ecosystem of professionals 24 th March 2017 Shiva Bissessar, BSc (Hons), MBA, MSc Managing & Technical Director shiva@pinaka.co.tt @PinakaTT www.pinaka.co.tt
In Brief Over 20 years ICT experience now providing consultancy services to various clients, including Caribbean based Telcos and FinTech startups seeking to offer Digital Financial Services (DFS). Also assists clients in business development of Information Security services. In 2013, attained M.Sc. Information Security from University College London (UCL), UK. Pinaka Technology Solutions formed to assist organization with their strategic ICT needs. Adjunct Lecturer, University of West Indies, Arthur Lok Jack School of Business: Masters, Information Systems & Technology Management: Information Security, Ethics & Law Visit website, www.pinaka.co.tt, for additional information on services, workshops, publications
Oct 22 nd 2016 DYN attack 10s of millions of discrete IP addresses associated with the Mirai botnet were part of the attack.
Skype conversation with perpetrators
Internet of Things (IoT) In order to get users to use it, it must be simple to setup & reset. It is often copies of existing systems which are thrown together with little understanding of security. In order to keep costs down, it uses cheap processors, with limited capabilities and where memory is limited. Software developers often have no idea about how to properly implement secure code and, especially, encryption. The code is often "borrowed" from the Internet. Patching vulnerabilities for IoT devices is often difficult, as they often require the user to update them. Let's Take A "Bin" Walk Through IoT; William Buchanan, Professor, Napier University (2016)
State of cyber security in Trinidad & Tobago A senior position with responsibility for information security at a government agency with responsibility for implementation of the national strategy towards Information and Communication Technology (ICT) has been vacant since 2010. A senior representative of a multinational with local presence claimed he knew many world class Information Security professionals of Trinidadian heritage; but went further to state they all worked outside of Trinidad and Tobago. At a 2016 Christmas dinner event for an association of lawyers, a prominent lawyer lamented that Trinidad lawyers, having opted not to pursue continuing education, were deficient in various areas of increasing import including cybercrime.
Cybercrime underground economy Criminal entrepreneurs devise scams by procuring the necessary resources al a carte; taking advantage of specialization and economies of scale and resulting in a web of interactions which potentially span the globe. http://cseweb.ucsd.edu/~savage/papers/weis15.pdf
In out favour but TTPS Cybercrime Unit Cyber Security Agency & TT CSIRT Cybercrime Bill? Participation in regional cyber security development exercises However; At CSMII in St. Lucia 2016 Commonwealth Secretariat declared cyber security awareness and basics cyber hygiene were recurring deficiencies in the needs assessments exercises. Capacity development has public sector focus There is an emphasis on addressing legislative issues rather than implementing technical controls.
Cyber security needs private sector participation During the signing ceremony, OAS Secretary General Luis Almagro reiterated the commitment of the Organization to promote a comprehensive and multi-stakeholder approach to cyber issues, where the private sector and civil society play a fundamental role. He added that the contribution will be instrumental for enhancing the capacity of member states to prevent and respond to cyber threats,
Fight fire with fire One can argue that a criminal ecosystem, like many other cyber security threats, can only be disrupted by an equally powerful cyber security ecosystem of professionals. Ensure national pool of talent, at all levels, is being developed today to address unknown future needs. The status quo will forever bind us to a dependency upon the importation of expertise. The up-skilling of a national pool of experts also presents Trinidad and Tobago with opportunity in providing exportable resources both regionally and internationally as others seek to develop cyber security.
Tough questions Do we have an InfoSec community of experts in Trinidad and Tobago focusing on cyber security? If yes, who are the persons comprising this community? Is this a formal community or a loosely defined community which comes together temporarily during exercises such as this one? Does its membership lean towards greater participation from the public sector or the private sector? Is there recognition that private sector interest from a Small Medium Enterprise (SME) is not the same as the private sector interest of a large commercial entity?
Tough questions How are potential candidates encouraged to contribute within this community? Is the community comprised in such a way that both of fresh ideas and a wealth of experience are expressed in deliverables? Do the participants of this community come from different professions, backgrounds and skill sets? Can such a community adopt value chain relationships to be transformed into an active ecosystem of professionals seeking to promote national cyber security? Can the Integrated Threat Assessment Centre (ITAC) be the catalyst in the formation of such an ecosystem?
Recommendations 1. Proper recognition and appointment of national champion to oversee the development of cyber security locally. 2. National consultative body for cyber security with membership encouraging development of cyber security focused SMEs. Formal body can lead to informal cyber security ecosystem of professionals. 3. Encourage participation from the private sector/smes in local and regional cyber security meetings. Qualified entities should also be invited to participate in the training and capacity building exercises arising from such meetings. Financial assistance needed.
Recommendations 4. Assessment of critical infrastructure & key ministries and agencies in ICT. Organizational structure of these bodies should reflect cyber security maturity extending to the roles and responsibilities. Comprehensive set of policies and audit mechanisms to be defined. 5. Information Security Governance training for boards and senior management of various key organisations. Information Security Awareness training for the general population of employees. 6. InfoSec academic and professional development via alignment between the academic institutions, the national development needs scholarship system and the intake of graduates into the public and private sectors. Coordination with corporate entities towards the creation of funding for cyber security research.
Recommendations 7. Gov t should facilitate opportunities within the private sector to build and develop future cyber security competencies. InfoSec researchers, writers, lecturers, practitioners, policy makers, legal specialists and technical experts are needed. Gov t leads by example and procure services from fledgling entities seeking to provide services in cyber security. 8. Information Security awareness training needs to be conducted extensively within the secondary school system. 9. Take advantage of training and capacity development exercises from international bodies and multinational corporate entities to up-skill the national pool of experts (public and private sector) towards the goal of developing cyber security for economic development.
The need for developing a cyber security ecosystem of professionals 24 th March 2017 Shiva Bissessar, BSc (Hons), MBA, MSc Managing & Technical Director shiva@pinaka.co.tt @PinakaTT www.pinaka.co.tt