Today Trend Micro, working jointly with the Organization of American States (OAS), released a study outlining the current state of cybersecurity in Latin America and the Caribbean. The study, while not eye opening – many of the risks have been known by IT Security Professionals for some time – offers a real qualitative and quantitative study of the cybersecurity threats that exists in the region.
While the report focused more on Latin America (the only Caribbean country with significant attention was Jamaica), our close proximity to South and Latin America means that we should consistently remain abreast of the developments there.
I read the reports and have distilled some of the highlights for you.
A general increase in cyber incidents were reported by most countries. However, the belief is that this was due to better detection and security mechanisms put in place, indicating that attacks were happening all the time but were previously undetected. The report noted that in many instances there was no rating or scale used for the incidents that were detected.
Growth of Hactivism
An interesting trend that was noted was the growth in hacktivism or politically motivated hacking. These instances were not driven by financial gain, but were coordinated attack campaigns in response to legislative initiatives. These attacks brought the issue of cyber security to the forefront, and may have provided some benefit by making those in authority more aware of the threats out there.
The report wasn’t able to quantify the losses caused by hacking, stating that it was impossible to gather, but still said that it was very high, possibly even greater than losses of any other form of crime. I find this a rather dubious claim though, and would prefer to see more evidence before stating such.
Threat to Industrial Control Systems
Industrial Control Systems (ICS) are at an even greater risk in the region, than in many other parts of the world. I gather that the report also included financial, transportation, healthcare, and telecommunications as having ICS. Trend micro found many ICS devices connected to the Internet, possibly for remote management and administration. This may not be a problem in itself, but it found that these systems will both unprotected by a password or unpatched. I know of a few cyber scams that have hit telecommunications companies within the region, but none that have hit industrial systems… as yet!
Keeping up with Cybercriminals
Trend micro found that the hackers in the region were learning from their counterparts in other developed countries, mainly from Eastern Europe. Meanwhile, law enforcement authorities were having a hard time keeping up with the cybercrime developments. The report cited inexperienced cybercrime investigators and the shortage of prosecutors who specialize in technology related offenses. There is also a need for highly skilled professionals who can secure networks, diagnose intrusions, and effectively manage cyber incidents.
Inadequate Security and Awareness of the General Citizenry
One of the conclusions formed was that the greatest form of attack was via file infections. This is an indication of insufficient security mechanisms on personal PCs and a lack of awareness of the general citizenry of how to protect themselves from cyber threats.
Impediments to Cybersecurity within the Region
The report brought to fore some of the major issues impeding the region’s cyber security efforts.
- Lack of information being shared about security events such as breaches, intrusion attempts, or attacks.
- Lack of law enforcement or federal laws and regulations.
- Skewed data about security incidents that may not be factual or just anecdotal evidence (“I heard that this happend…”).
- Differing standards as to what constituted a cyber incidents. Some countries only counted attacks on the Government as incidents, while others count everything.
- Lack of National Computer Security Incident Response Team (CSIRT).
- Lack of highly skilled professionals in the area of cyber security.
The report included three recommendations for governments and organizations in the region to help improve the state of cyber security.
- Raise awareness of safe cyber habits and general cybersecurity awareness among Internet users, critical infrastructure operators, and government employees.
- Invest in and promote enrollment in technical degree programs to ensure an ample pool of qualified candidates from which to draw professionals that would be needed to fill the increasing number of information security careers.
- Continue strengthening policy mechanisms to assign governmental roles and responsibilities related to cyber security and codifying information sharing and cooperation mechanisms.
I would also include that the formation of CSIRT’s at both the organizational and the national levels, even at the regional level. This would help coordinate activities in addressing cyber security. And while I do not think we need to go as far as having degree programs, we do need to increase the pool of people who deeply know information security.
I recommend that you read the report here (pdf), and please forward it to others, especially those in the position to take the cause forward.
Do you think that enough efforts are being made to improve cyber security at both the organizational and that the governmental levels? Leave your comments below.