Barbados Cyber Security – Recommendations from a Bajan Cyber Warrior

Submitted by James Bynoe – Senior Cyber Security Consultant

Chris Sinckler, Minister of Finance revealed this week in the House of Assembly that the computer system at the VAT Office was hacked

The recently reported hacking of the Barbados VAT system should serve as yet another trigger for the Barbados government to ensure that our national cyber security house is in order.   As a senior cyber security consultant who has lead ICT vulnerability assessment for large and small public and private sector organizations worldwide I can tell you that the effective protection of Barbados’s public and private key network infrastructures is a challenge that must be confronted proactively and “not” reactively.   The successful hacking of a major financial institution in Barbados if publicized globally could have a devastating economic impact on the Barbados economy, stemming from potential massive lost in investor confidence in our ability to protect information and financial assets.

Unknown to most many hacking events are broadcasted worldwide via numerous hacker communities, the hacking of the Barbados VAT system could place “Barbados” on the “hit list” of thousands of criminal hacking enterprises worldwide, it is therefore imperative that government proactively establish a national cyber security strategy which address and provides guidance on a wide range of cyber security risk areas for both the public and private ICT sectors.

It has been proven by many global ICT research organizations that it is always significantly more costly for organizations and governments to recovery from hacking events then it does to implement “proactive” technical, management and operational security controls and protections.    I also believe that we have the local ICT expertise in Barbados to become regional leader for the future delivery of a wide range of cyber security technical, management, operational support services to both the public and private sectors that will be needed  with government support.

With that said below are a few things Barbados can do to strengthen our posture in cyber security while cultivating and expanding this emerging ICT area:

# 1 – Establishment of a Caribbean Center for Cyber Security (CCCS) in Barbados which will act as a centralized regional cyber security “think tank” for harnessing best of breed cyber security technical, management and operations plans, policies, and procedures which can be tailored to meet the many nuances of the Caribbean cyberspace environment.  The core mission of the CCCS will be to provide standards and technology usage guidance to protect the public and private sectors in Barbados against threats to the confidentiality of information, integrity of information and processes, and availability of information and services in order to build global “trust and confidence” in Barbados’s ICT capabilities and resources.

# 2 – Establishment of a Regional Cyber Security Assessment Service Center for Government Networks via the CCCS.  This will provide the region with an independent security vulnerability assessment capability that can be used to periodically assess an organization’s cyber security posture using global cyber security best practices.

# 3 – Review and update the Barbados government’s ICT security operations and monitoring capabilities with proactively monitors against cyber security attacks.

# 4 – Support the expansion of Cyber Security Training and Education in Barbados in the effort to lower our national dependence on external international entities for cyber security expertise.  In order to effectively ensure our continued technical advantage and future cyber security posture, we must develop a technologically-skilled and cyber-savvy workforce in Barbados, with an effective career pipeline of future Barbados Cyber service professionals.

# 5 – Facilitate Improved Barbados and Regional Research and Development partnerships with Global ICT Cyber Security Solutions Providers and R&D organizations to ensure the Caribbean has timely access to best of breed emerging technologies and threat data.  CARICOM ICT leadership can play a significant role as this initiative which will allow us to coordinate and redirect research and development efforts across regional nations while working to define and develop Caribbean centric strategies to deter hostile or malicious activity in cyberspace.

# 6 – Support the Establishment of a Barbados Public Cyber Security Awareness Campaign to strengthen the future cyber security environment by expanding public cyber security awareness and knowledge to include awareness of credit card fraud, ATM crimes, and Identity Theft to mention a few key topics.

# 7 – Support Regional Cyber Security Information Sharing as feasible with emphasis on combating common regional cyber security vulnerabilities and threats.  This initiative will enhance Barbados’s situational awareness of regional cyber security incidents and threats.

# 8 – Establish a Barbados Cyber Security Risk Management Framework and Governance body which leverages international risk management and governance best practices to ensure the Confidentiality, Availability and Integrity (CIA) of BGIS Public and Private Information and Communication Infrastructures.

# 9 – Establishment of a Barbados based Caribbean Computer Forensics Capability in Barbados which will support growing local and regional public and private cyber security forensic needs.

In closing I would like to share a little story I was an invited guest speaker on the topic of Cyber Security in Barbados and a man stood up during the question and answer period and asked me “Do you think cyber criminals really care about Barbados we are too SMALL?”
My answer:  “size in cyber space means nothing access means everything …. and this is what criminal hacking enterprises are look for each minute of every day across multiple time zones via an expanding range of tools and techniques.”

0 thoughts on “Barbados Cyber Security – Recommendations from a Bajan Cyber Warrior

  1. The latest thing I understand is that the minister of finance has announced that a kindle is not a computer and duty will be charged on them. So what is an Ipod, tablet? How much longer do we have to suffer under these idiots?

  2. David is that a recent photo of the minister? If that is so he and the bull frogs in my garden looking like first cousins!

  3. @islandgal

    The Minister admitted recently on air that pressing matters of state do not allow for time to play road tennis and shed the weight. One wonders what is the purpose of serving if it is at the risk of ones health.

  4. And id one ‘o des days one of those Wiki-leaks style inside jobbers is a Prime Ministerial friend?

    What then?

  5. Simple Simon does only ask real simple questions.

    Simple Simpon leaves it up tp o the smart people to provide sensible answers.

  6. Most governments are not technologically savvy and they spend vast sums on systems that are insecure by design and have backdoors to let in their government that are now using the tools they have and are building for aggressive cyberware against states they disapprove of so it’s not only cyber criminals that have to be feared.

    That’s why countries like India and China have successfully asked a certain supplier to provide them with the source code to their operating system so they can verify the absence of backdoors.

    Recent events like the STUXNET virus used to disrupt Iran’s nuclear operations, taking down Saudi oil’s Aramco networks for many days and a spate of other successful attacks around the middle east.
    China’s suspected successful exploits against US Corporations and government also shows how weak the infrastructure is.

    I won’t mention the affected operating system that’s proved to be the weak link but I have had £400.00 worth of purchases taken from my Debit card after purchasing an item online from a London company that was obviously leaking my data through malware infection on their PC.

    Malware is getting smarter all the time and protection always lags infection, clean one up and wait for the next one to strike.

    Entities such as the Israeli government have have recently been tested and proved impregnable and I bet I know what system they use – one that drives Wall Street, London, Tokyo and Deutsche Stock Exchanges, Disney, the US courts, USPS, NASA, IBM, Google, San Francisco BART and a whole bunch of other enterprises that caught the clue train and based their systems on a robust infrastructure that ensures minimal risk at any time.
    You can’t say no system is foolproof but the major number of attacks are directed at on operating system and it has nothing to do with the old chestnut of numbers not justifying attention when most of the internet backbone is based on this system.

  7. “The Minister admitted recently on air that pressing matters of state do not allow for time to play road tennis and shed the weight.”

    If “pressing matters of state” refers to his jumping pun a plane every two weeks to live high off of hotel accommodation well then he would have a point …! The President of the United States of America is required to jog for a certain amount of time every morning before he commences work. There has never been a fat one yet (maybe one that was confined to a wheel chair). “Pressing matters of state” m y ass …!

    Again how do you trust individuals from a phantom institution to do the right thing. What arrangement was made between members of the political party and a private concern (Bjerkam …?) on the leasing of Barbados’ land at Coverley and how is the enumeration made between the said private concern and the Minister responsible on the sale of each house …(Some say it is fifty thousand per house … Who handles the conveyances …?)

  8. It is quite frightening to see how lax security is on many websites in Barbados – both government and other.

    Sadly, this is a direct consequence of the lowest bidder winning web contracts – the coding will be substandard using unpatched, unchecked open source solutions and the hosting will be free or shared with no real server security.

    As with most things in life, you get what you pay for and the cheapest is not necessarily the best!

  9. Sid Boyce

    Which is the OS that you have a problem with … open yah mout’ do. Is it Microsoft.? Which is the system that you are impressed with ..? In any event the safest way to protect your savings is to keep your credit card limit small (£500) and your db card account small at least the ones that you plan to use with on-line purchases.

  10. The nine recommendations above may all seem like wonderful ideas to someone in the IT world but are surely putting the cart before the horse.
    .Maybe we don’t need an ICT CCCS, an RCSASCGN, expansion of the CSTEB, B&R R&D partnerships with GICTCSSPs and R&D organizations, a Barbados PCSA campaign, support for RCSIS, a Barbados CSRMFGB to ensure CIA of BGIS PPIIs and the establishment of a CCFC.
    Perhaps we should just find out in what way the VAT system was vulnerable. If it was someone leaving their password on a yellow post-it note on their desk we could avoid having an ICT CCCS, an RCSASCGN ……………

  11. Cyber security in Barbados? In the public sector? Give us break!

    Here we have an administration that finds great pleasure in “leaking” documents and arranging to have stolen unread reports like the CLICO forensic exposé.

    How can you expect an administration to be cyber-security savvy when that same administration can’t even regulate the presence of an estimated 30,000 unlicensed and uninsured on the roads or remove the unsightly garbage from the streets or have removed from the pavements within 24-48 hours instead of the current 4 weeks the grass and tree trimmings from weeding the verges?
    You got to be joking, mate! It seems Mankind would land on the Sun before any of the above issues are sorted out far less the effective application of cyber security regulations and controls in Barbados.

  12. @Sid Boyce – No system or infrastructure if impregnable. The most the data owners for a specific platform can do is mitigate the risks associated with delivering the service to a tolerable / acceptable level. This can be done through an effective controls which address people, process and technology. And from a technology perspective, “defense in depth” is the ideal posture to adopt.

    • @Miller

      How did you get CLICO into this topic? Is the CLICO Mess unique to Barbados or is it a regional problem which has its genesis in previous administrations proclivity for greed? {Please take that argument offline.

      On 2 December 2012 12:10, Barbados Underground

    • @Lien Dubrovsky

      This is the question if we bring it home.

      Are you and the IT experts on this blog satisfied we “have [adequately been mitigat[ing] the risks associated with delivering the service to a tolerable / acceptable level”.

    • I said exactly the same thing – No system is impregnable. Just that security by obscurity and as a bolt-on feature is the weakest security model. That has proved to be the case time and time again.

  13. @ David | December 2, 2012 at 8:13 AM |

    If this country can’t even handle straightforward issues within its control and competence how can it even consider things like cyber security.

    Stop hanging your hat higher than you can reach. Deal with the manageable and doable first before attempting to deal with cyber hackers and criminals. That is way out of this country’s league. Listen to the recent BBC interview with Julian Assange and you will appreciate what is being said here.

  14. There is no such thing as cyber security.
    Any information placed on a computer, phone or any Internet device is fair game. The solution is to only place information whose loss will not be catastrophic.
    Bushie has to agree with Miller. This is the very least of Barbados’s problems right now.

    What cyber security what?
    What VAT security breech what??!
    ….to find out how much Bushie paid last month…? Stupseeeee

    Skippa, according to Caswell (and no one has disputed him so far), a well known and respected business robbed our VAT of $25M and got away with it….in broad daylight.
    Others have pocketed even larger amounts and are continuing as we blog…

    Why waste time and effort cyber stealing when they can just take it just so…?

    The only beneficiary of this rouse is the author and his ilk – who are able to build straw men, set them alight, and then offer fire prevention insurance…. 🙂

    • @Bush Tea

      To clarify, there is a basic level of IT governance which is required if the efficiency of government is to be safeguarded. VAT is one of the biggest revenue collection public agencies, it cannot be governed like a rum shop.

      On 2 December 2012 17:29, Barbados Underground

  15. The goal in effective cyber security is not to eliminate all risk as this IS impossible … The goal is to lower technical, management, and operational risk to an acceptable level.

    The point of it being impossible to eliminate all risk should not be used as an excuse to do nothing ..

  16. As a COMPUTER Literate individual I’ve personally been able to penetrate/hack a significant number of the Barbados Government web sites based on the island. Barbados Government web sites based off island are not so easily penetrated. It may come as a shock to Bajans that a significant percentage of Barbados government websites holding sensitive personal information are located outside the country and not subject to Barbados laws. I suspect a portion, if not all, the new Land Tax payment system is located in Salt Lake City, Utah, USA. I do not consider myself a hacking expert, only one with knowledge of computer systems and their supporting systems. If I can penetrate a significant number of government in country web sites imagine what a knowledgeable hacker can/could do.

  17. @ David & James
    Wunna points are taken and noted. HOWEVER, there is the question of PRIORITIES.
    Bushie thought that Miller had explained the matter very well….
    One does not focus on installing an advanced electronic home security system until one FIRST buys a home.
    …AFTER buying the home, one then ensures that the roof is not leaking, the termites are under control, the locks actually lock, and the plumbing is not leaking….

    When these things are in place, one may do a little painting, gardening and buy some insurance ….

    THEN……and only then ….does it make sense to go around looking at CCTV systems with audio, phone alert capabilities and intruder detection alarms.

    Barbados got a garden?!
    We got insurance?!
    ….the damn termites in the house of assembly under control?

    Skippa, the roof leaking …..and don’t talk about the water works plumbing….. Um is wuh? 50% losses?

    ….and wunna talking bout cyber Wuh?…..and you calling Bushie simple David 🙂 ?

    What the hell we got left to thief anyhow? ….the little that we had now belong to the Canadians and Trickidadians….. What you wanna bet that THEM fellows got tight cyber security….?

    ….what we need is some cyber sense….. 🙁

  18. @DAvid
    “Are you and the IT experts on this blog satisfied we “have [adequately been mitigat[ing] the risks associated with delivering the service to a tolerable / acceptable level”.”

    No we haven’t. But as Bushie and Miller have been hinting, this is par for the course where our level and efficiency of operation in all spheres are concerned. Cybersecurity is an issue of note, but, if we can’t get the basics right (decent service delivery and quality, efficiency of business, effective systems and organisational analysis, adequate project management, flow and budgetary controls etc. etc.) then we will never get this right either. Even if our hands are held along the way.

  19. @Bush Tea, Observing et al

    The global economy necessitates a new way of doing business facilitated by the Internet. If we want to protect existing business (not new) we have to build out ICT architecture which meets minimum requirement. It surely does not mean because we have running problems with governance in other areas we have to neglect cyberspace which is a requirement of a new way of doing business.

  20. @Bush Tea, Observing et al

    The global economy necessitates a new way of doing business facilitated by the Internet. If we want to protect existing business (not new) we have to build out ICT architecture which meets minimum requirement. It surely does not mean because we have running problems with governance in other areas we have to neglect cyberspace which is a requirement of a new way of doing business. @enuff

    Who defines ‘ability’? The challenge is that we don’t want to adjust lifestyle ie. consumption habits. Of course we have the genuine cases of hardships and the vulnerable we have to factor however if we wait for the perfect design nothing will get done.

  21. @DAvid
    “The global economy necessitates a new way of doing business facilitated by the Internet”

    But we aren’t even meeting the minimum ICT and operational threshold for this new way of doing business right now. And we’re definitely behind the curve if we want to achieve the objectives that we say we want. Cybersecurity yes, but have proper systems and procedures in place to secure first. Else we protect information that isn’t driving our business and economy the way it should. It’s safe, but not suitable for capitalising on. Just my two cents worth.

  22. @ David
    Why don’t you ask James how much he is willing to charge for the needed security?
    ….it may be a case of buying a nice wallet to protect one’s money – except that after paying for the wallet such protection may no longer be necessary 🙂

  23. Every one seems to keep forgetting that successive governments are reknowned for not maintaining anything, hospital equipment to save peoples lives, baby’s lives. Do u really think they going to maintain firewalls on mainframes. Dream on.

    • It’s not firewalls around Mainframes, if they have a Mainframe, it’s the other stuff they use like Microsoft’s finest.
      Whenever you read a report it says computers or PC’s have been breached but it’s not the hardware that is insecure, it’s the good old wide open Windows operating system and the applications that are prone to trojan and malware attacks.

      Quite a few people have had their lives ruined when trojans and malware turned their Windows PC’s into botnets to download child pornography for others all unknowingly to them. I one case it cost a guy in the USA $250,000.00, lost his job, wife and home. Eventually a computer forensics expert was able to prove his innocence and save him a long prison sentence but what was lost was lost never to be regained.

      In another case a guy picked up a boarding pass stub in San Franciso Airport and through internet searches found that the guy’s wife had been using Kazaa to download music while Kazaa was uploading all their files to the internet including bank accounts and more. The guy in California was able to obtain his phone number and alert the guy in Kent (UK) with the advice to change his accounts ASAP.

      Another guy in the South of England had his account transferred to Oxford and left him with massive bills through the fraud that left him ruined and put on the bad debt register.

      A few years back when Microsoft switched hotmail from BSD to Windows and IIS they suffered a massive Denial Of Service attack and had to switch Hotmail to behind an ISP running Linux to provide them with a shield from the DOS attacks.

      Quite a few years ago a virus caused havoc on our Windows servers, laptops and PC’s – used because they were cheap compared to using Mainframe or SPARC resources. When the panic was on I sent out an email to Amdahl worldwide stating that some people liked living in a neighbourhood where there was a high risk of getting mugged, others get out and I was in the latter category – I ran Linux – and I still do.

      Skype used to run on Windows but since Microsoft bought them they have migrated it to Linux, making Microsoft a big Linux user – after they called Linux a cancer, communistic and unAmerican.

      The above are facts any search engine will confirm.

      How the Eurograbber attack stole 36 million euros

      Trying to secure the insecure is a massive and continuous task and always lags any breeches. If you have to fix broken software with bolt-ons such as virus, spyware and malware prevention aids you are at the mercy of attackers.

  24. let me hear a bajan do that with just his voice and a guitar.! example for preceding comment..
    you picking up yet?

  25. hey snigger why dont you just say we dont want hackers to hack in to the government computers and see where the money really goes.!is your banking information in there for your off shore bribe account and all the other thieving
    so called officials.! we wouldent want that getting out would we.????????
    it will one day soon ! hope dodds got room for all of add on a wing .
    but let some other country pay for it.ok

    • You have not seen large scale adoption on PC’s and laptops simply because every desktop PC or laptop is preloaded with Windows and OEM’s supplying them have been coerced by the convicted monopolist. They will lose their discounted Windows prices if they adopt any other OS.
      There are a few large PC sellers that sell Desktop PC’s with Linux installed.

      Where you see Linux large scale adoptions – the internet backbone, Android tablets and smart phones, domestic appliances, Airline on-board systems, set top boxes like the Dreambox that’s so popular in Barbados, Smart TV’s, super computers, Mainframes, the Large Hadron Collider, Amazon, Royal Air Force, USAF, US Army, US Courts, Google, USPS, the City of Munich, Disney, Stock Exchanges such as Wall Street, London and Tokyo, NASA, IBM, Red Flag Linux in China, Russian government and schools, the region of Extrademura in Spain, Brazil, British Airways, The European parliament, Boeing, Intel and many many other corporations.

      Google and Facebook could not have even got started without Linux and I recently pointed to an article where Amazon deploys around half a million Linux servers.
      Search on the massive compute farms running Linux that Google and Facebook have. If you watched movies like Shrek, all the rendering was done on Linux farms by Dreamworks Studios. The movie Titanic and others use Linux compute farms.

      Embedded systems that deploy in millions largely deploy Linux – Beagleboard, Pandaboard, ODROID’s.
      I could go on all night compiling a list.

    • Further information on Linux …
      If you use a Smart TV, a Dreambox, an Android Phone or tablet, a fridge, own a new car or simply using the entertainment system on a flight they are using Linux.
      The Raspbery Pi and almost all embedded systems run Linux.
      The majority of the internet backbone runs on Linux, so it’s not just a niche operating system.
      It’s also where the highest paying computer jobs are on offer.

      One of the real benefits is the educational value. Besides being free as in both freedom and free beer, it’s of benefit to anyone wanting to learn the internals of the system unlike Windows where get only what Microsoft damn well gives you with no say in how it’s put together.

      Besides the big companies like IBM, HP, Intel, Dell etc. anyone is free to contribute to Linux development by way of enhancements, submitting improvements etc.

      There are programmers all over the world who are contributing to the operating system core – the Linux kernel – and all the applications that run on it.
      That a 7 year old kid was able to submit a critical patch shows there is no age barrier and certainly no ideas barrier.

      I don’t want to give the impression that it’s an unruly mess, there are king pins who vet everything that goes into Linux so submissions are scrutinised carefully and may be rejected if they don’t conform. Even IBM has had submissions rejected with a go away and clean it up before it’ll be accepted.

      One of the complaints from some new users is confusion over the number of Linux distributions out there (hundreds), but that is choice – anyone is free to develop a new Linux distribution or modify an existing one and put it out there for anyone else to use, modify, redistribute or whatever their fancy or needs desire.
      The following URL lists one such distribution for ages 2 to 12.

      All you need is a PC which you certainly have.
      There are “Live CD’s” and USB keys that allow you to try any Linux distribution without having to touch your hard drive with Windows on it.

      The Ubuntu distribution from Canonical (by Mark Shuttleworth – the South African who made the space trip) is very popular.

      Another company RedHat started out in a guy’s bedroom when he realised that from playing with Linux he could start a company selling it and services surrounding it to Enterprises and also offering it free for anyone to download.
      RedHat is racking up billion dollar sales annually.

      Going back some years there was a company in Trinidad that was selling Linux service, I don’t know if they still exist.

      CERN has a Linux distribution called Scientific Linux that’s doing the work on the Large Hadron Collider – anyone can download and run Scientific Linux. As with all Linux distributions , it’s free.

      This is the new world of “open source software” and now some guys are doing the same with hardware.
      Collaboration and sharing is what it is all about.

      Every distribution also comes with oodles of applications to do any task.
      Even handling Microsoft Office word documents – word processing, spreadsheets, presentations, etc. there is StarOffice, LibreOffice and others which can run on any operating system including Windows so you don’t have to pay Microsoft for an Office suite to handle your documents or those sent to you.

      Towards a free world where ideas flourish.

  26. This is one of the Googleplexes, hard to imagine that they started from a small building that I saw from our car park in Sunnyvale Ca. and wondered how they could have been worth billions back then. I mean, if the building had burnt to the ground, the insurance value of the building, if they owned it and the cost of equipment couldn’t have come to more than a few million dollars.

    I guess the value was and still is in the human capital.

    There are so many companies with huge datacentres. When I first started you didn’t have to look for the Mainframe in a room, later we and IBM had shrunk the mainframe to the point where you had to hunt for it in any unfamiliar site.

    I’ll see if I can find pics of Amazon as they use Mainframes delivering the power of a large group of Google boxes in a Mainframe taking up a 20th. of the size — Mainframes cost and are only now supplied by IBM whereas Google, Facebook, etc. grow their own server farms based on PC type components.

  27. This is a typical Facebook farm,29307,2036928,00.html

    When it comes to Supercomputers, IBM, Cray and others power climate science, weather forecasting, nuclear research, space research, gene research, etc. They make the VP1200 we installed at Manchester University in the 1989 look like a toy.

  28. I forgot to mention a few of the non-technical Linux users.
    Stanley – a Kittician retired welder now 84+ has been using Linux for around 8 years. He wanted a PC so we went and bought one and I installed Linux on it.
    Stan had never used a keyboard in his life so when I mentioned Backspace he had to ask me where it was and what it did. He then pointed to the spacebar and asked the same questions.
    He does work with his camera, burns CD’s/DVD’s with sound, video and also family pictures, also wordprocessing, Skype, browsing the internet and other stuff – most he discovered himself.

    Vic a 74 year old retired sheet metal worker does all sorts using Linux.

    Just 2 of the few I know besides the articles I read from guys and gals having their old folk using Linux.

    Very remiss of me not to have mentioned the ladies who are making significant contributions to Linux development – they are there up front, though they sometimes only come to be known when they blogg about being patted on the backside or worse at conferences by dirty young men doing it surruptitiously in the crowd.

  29. Pingback: It’s an ICT World: Further Information About Linux … | Barbados Underground

Leave a comment, join the discussion.