WWW.CARIBBEANCSC.COM

Caribbean Cyber Security: “The Time for ACTION is NOW”

Agenda

•Global Cyber Security “Reality Check”•Caribbean Cyber Crime Trends: 2013 & Beyond•Caribbean Distribution of Targets •Current Cyber Threat Sources•Understanding Our Regional Cyber Security Posture• Keeping the Right “BALANCE”•The Global Cyber Security Response•Profile of a HACKED system•Recommended Action Plan (Public & Private Sectors) • CCSC Support Services •About the Caribbean Cyber Security Center (CCSC)• Mission, Vision, Value• Our Team•Implications for the Caribbean in Staying The Current “Unsecure” Course

Global Cyber Security “Reality Check”

Barbados Government Network Hacked(March 2013)

The Parliamentary website of the government of Trinidad and Tobago was breached by a hacker.(April 2012)

El Salvador government sites attacked.(June 2011)

LIME Barbados' broadband network came under a DOS attack.(April 2012)

Caribbean Cyber Crime Trends: 2013 and Beyond

• Spike in the number of successful hackings of key public and private sector networks across the region.

• The Caribbean is one of the world's fastest growing regions for Internet usage, with 28.7% percent of the Caribbean population of 41.4 million uses the Internet.

• As Caribbean and Latin American economies grow, the prospect of financial gain from cyberattacks is drawing organized cyber criminal into the region.

• Cyber security is still NOT being taken seriously as the region's relatively fragile infrastructure makes whole economies particularly vulnerable.

• Many Caribbean nations and organizations are still not conducting effective security awareness efforts.

• Implementation of CSIRT lagging across the region

• Lots of “TALK” little or no real “ACTION”, region still trying to solve with just a technology approach.

Recent Events Across Our Region“Just a Few”

The Evolving Cyber Threat and Our Current Posture

WHO’S NEXT?

Caribbean Distribution of Targets

Source and Type Capabilities Threat ScenariosIntentions/Motivations

Foreign Intelligence Service over the Internet

• Outsider• Highest level of sophistication

• Hacking• Impersonation• Social Engineering• System Intrusion, Break-ins• Unauthorized access

• Malicious•Political Gain•Economic Gain•Military Gain

Terrorist \ Organized Crime over the Internet

• Outsider• Highest level of sophistication

• Hacking• Impersonation• Social Engineering• System Intrusion, Break-ins• Unauthorized access

• Malicious•Political Gain•Economic Gain•Military Gain•Denial of Service•Create Chaos

Individual Hacker over the Internet

• Outsider• Many levels of sophistication

• Hacking• Social Engineering• System Intrusion, Break-ins• Unauthorized access

• Malicious•Challenge•Ego•Rebellion•Create Chaos

Disgruntled Current\Former Employee

• Outsider• Insider• Many levels of sophistication• Insider• High degree of technical sophistication

• Hacking• Social Engineering• System Intrusion, Break-ins• Unauthorized access

• Malicious•Revenge•Curiosity•Ego•Monetary Gain

“Current” Caribbean Cyber Threat Sources

• Lack of readily available systems information and non-adherence to International Best Practices

• Inability to effectively maintain the confidentiality, integrity and availability of systems.

• With shrinking budgets in challenging economic times IT Security is placed on the back burner and hence cyber security is not viewed with the required sense of urgency by ICT leaders.

• Consumerism – Departments have different buying practices with out consideration for software and hardware standards

• Organizational difficulty obtaining management buy-in because cyber threats and cyber crime are seen as IT problems and not as critical business issues.

• Cyber Crime is a global threat. Proceeds from Cyber Crime has out stripped the illegal drug trade.

• No sense of urgency cause nothing catastrophic has happened “yet”

• Overdependence on in-house ICT staff with no independent assessments being conducted.

Understanding Our Regional Cyber Security Posture

SEC OPSMeets Security Requirements

Exceed

Unsatisfactory

Higher Risk

Lower Risk

Mission Success

ConfidentialityIntegrity

Availability

“ Maintaining the right balance between Security Operations (SECOPS) and Organization Mission Success… in ICT

internal and external “risk” never disappears, however it can be lowered”

Keeping the Right “BALANCE”

$$$$ AT RISK

$$$$ AT RISK SAVE $$$ REPUTATION SAVED

SAVE $$$ REPUTATION SAVED

Caribbean

Caribbean

The Global Cyber Security Response

• The US, UK, Canada has recognized that is at a crossroads. The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security.

• The status quo is no longer acceptable. The United States must signal to the world that it is serious about addressing this challenge with strong leadership and vision.

• The national dialogue on cyber security must begin today. The government, working with industry, should explain this challenge and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action.

• The United States cannot succeed in securing cyberspace if it works in isolation. The Federal government should enhance its partnership with the private sector.

Developed Nations

• There has been a lag in the implementation of

effective national and regional cyber security

legislation and policy frameworks which provides

guidance to both the private and public sectors.

• Political leaders in the region view cyber security as a

“security” issue versus the “development” issue it is,

noting our dependence on foreign reserves.

• Current economic challenges has adversely impacted

regional nations in allocating, or realigning ICT fiscal

resources and support to cyber security efforts.

• ICT leadership reluctant for independent assessment

of their networks (cultural\human factor).

• We have not fully recognized that continued

successful attack against a critical infrastructure in

our region (like Banking) if publized globally can start

a chain reaction and can adverse impact many

regional economy’s.

Caribbean Nations

Phising SiteMalware Download Site

Piracy ServerChild Porn Server

Span Server

Webmail SpamStranded Abroad Advance

ScamsHarvesting Email Scams

Access to Corporate Email

Online GamingOnline Gaming Goods\

CurrencyPC Game License Keys

Operating Systems License Key

FacebookTwitter

LinkedInGoogle

Spam ZombieDDos Extortion ZombieClick Fraud ZombieAnonymization ProxyCAPTCHE Solving Zombie

eBay/Paypal Fake AuctionsOnline Gaming CredentailsWeb Site FTP CredentialsSkpe/Voip CredentialsClient Side Encryption Certificates

Bank Account DataCredit Card DataStock Trading AccountMutual Fund/401K Account

Fake Antivirus softwareRansomwareEmail Account RansomWebcam Image Extortion

Profile of a HACKED system

“WHAT HACKERS CAN DO WITH A HACKED SYSTEM”

Caribbean Cyber Security Recommended Roadmap

Recommended Action Plan (Public & Private Sectors)

Step Action

A Assess your Assets, Risks, Resources

B Build Your Policy

C Choose your Controls

D Deploy Controls

E Educate Employees, Execs, Vendors, Partners, Public

(“THINK, CLICK, SURF” Regional Awareness Program)

F Further Assess, Audit and Test

Service Category Support Service Offering

Technical • External Penetration Testing • Internal Penetration Testing • Independent Vulnerability Assessments• Independent Risk Assessments• Computer Forensics

Management • ICT Security Policy & Development• ICT Security Architecture Audits• IT Security Compliance Audit• ICT Security Governance• Security Incident Handling

Operations • Security Awareness Training (Community & Business Models)• Continuous Monitoring• CSIRT Development • Security Operations Center Development

Caribbean Cyber Security Center: Support Services

VALUEVALUE

In the rapidly evolving world of cyber threats and vulnerabilities our mission

is the protection of Caribbean private and public ICT information

systems and resources, as a regional

development issue.

To become a recognized “hands-on” regional cyber security and information

assurance resource for ICT Penetration Testing,

Vulnerability Assessment, Risk Assessments, Security

Awareness Training and ICT Security Governance/Policy

development support.

We have harnessed a best of breed team of recognized

and experienced cyber security and information

assurance consultants and technology partners, who are well versed in global

cyber security compliance standards and best

practices.

Caribbean Cyber Security Center: Our Team

Name Title\Role Clients Supported Core Expertise

Mr. James Bynoe Senior International Cyber Security Consultant, CEO\Founder CCSC

• National Aeronautics and Space Administration (NASA)

• National Oceanic and Atmospheric Administration (NOAA)

• U.S. Environmental Protection Agency (USEPA)

• Raytheon ISS• Computer Sciences Corporation• U.S Department of Defense

• Security Governance• Security Operations (SECOPS)• Enterprise Vulnerability

Assessments• Risk Assessments• Business Impact Assessments0• Information Security Program

Development• Penetration Testing• Disaster Recovery

Mr. Deon Olton, CEH Senior ICT\Cyber Security Consultant, CTO\Co-Founder CCSC

• LIME• First Caribbean• Barbados National Bank• Barbados Shipping and Trading• Caribbean Telecommunications• St. Kitts Government• Elegant Hotels

• Security Governance• Security Operations (SECOPS)• Enterprise Vulnerability

Assessments• Risk Assessments• Penetration Testing• Security Awareness Training• Cyber Forensics• Continuous Monitoring• Technology Insertion• Exfiltration Testing

“What Makes CCSC Unique“The CCSC team represent a unique

combination of proven and experienced cyber security professional ever assembled to specifically support the

Caribbean

• Mr. Niel Harper, CISSP, CISA, CRISC• Mr. Cordell Robinson, Attorney, C|CISO• Mr. David Gittens, CISSP• Mr. Michael Barrington, CISSP, TCNE

CCSC Executive Advisory Team

Implications for the Caribbean in Staying The Current “Unsecure” Course

• Loss of Caribbean Investor Confidence, which will adversely impact whole economies

• Loss of confidential data which damages overall regional reputation

• Losses in Revenue, Customers and Man Hrs

• Negative Reputation - Non-Compliance with Standards

• Costly, difficult and long recovery process• Wide Reaching Stress / Uncertainty / Job losses• Information theft and business disruption continue to represent the highest external costs. • Cyberattacks can be costly if not resolved quickly• The average time to resolve a cyberattack is 24 days, but it can take up to 50 days

There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again," he told the crowd. "Maintaining a code of silence will not serve us in the long run." U.S FBI Director

our web presence\portal: www.caribbeancsc.com

WWW.CARIBBEANCSC.COM

contact Information

James Bynoejames.bynoe@caribbeancsc.com

202-640-8085

Deon Oltondeon.olton@caribbeancsc.com

246-232-9009

Michael Barringtonmichael.barrington@caribbeancsc.com

443-854-1573

Thank You For Attending!!