Download Otter for your meeting notes

TTIGF 2021 05 Cybersecurity in the New Norm: Otter Voice Meeting Notes

TTIGF 2021 05 Cybersecurity in the New Norm

Joly MacFie1h 36min

George Gobin

00:00

As you can see, we are very much sticking to a conference theme of digitization, the new norm. And we've just come from a very interesting panel moderated by my daddy jagannadh, which we've already been hearing and understanding the views that we all have emitted from us over the years.

George Gobin

00:20

My name is George Gordon, and I'm a director at TD mag. And I'm very pleased to be your facilitator for this panel today. Now, according to cybersecurity ventures, and cyber attacks are on the rise. And they're really estimated to cost in 20, at the end of 2020, a cyber attacks were estimated the cost organizations around 20 billion US dollars, that's really a whole lot of money. $20 billion when the risk or entry is very low, and you only have to be able to do is a good feature, or be able to get on the dark web to get ransomware or malware that somebody doesn't feed for a cheap price as defined by cc USC. cybersecurity is the art of presenting or protecting sorry networks, devices and data from unauthorized access or criminal use, and the practice of ensuring confidentiality, integrity, and availability of information concepts constantly consistently. We have all become very heavily reliant on the internet for communications, entertainment, transportation, online shopping, health, etc. and various types of devices. The COVID-19 virus has exacerbated use of films like digital transformation, as an in fact increased reliance on use of the Internet to conduct our businesses and in fact, you know, to conduct our daily lives. However, as it lands and usage of these systems have increased, and new breed of criminal has further emerged out of the shadows, known as a cyber criminal who is constantly trying to gain access to a computer systems. And he did this initially as a subject of self satisfaction and self aggrandizement. But now more and more, we're seeing this as being used as a source of ill gotten wealth. And we know viruses have been around for a long time since the advent of computers whose primitive started proliferating in the 70s. What we're experiencing now seems to be modern new versions of this, a technologically advanced software that has morphed into new words in our vocabulary, like phishing, spear phishing, social engineering, denial of service attacks, man in the middle cross site scripting, and most recently, a lot of what ransomware attacks been administrated or run into on on the web, the panel that we have worked together to do and discuss what we as individuals, businesses, academia, and governments should know about this madness. And how do we protect ourselves from financial ruin, loss of privacy, loss of intellectual property. This panel is CT, to use known cybersecurity breaches to illustrate the costs and harms incurred or whether financial personnel or otherwise, but we're hoping by the end of this panel, discussion, you as our audience, today will leave with a much better understanding and perspective of cybersecurity, and the steps you need to protect yourself, your family, your business, and your employer. Let me first of all introduce you to our illustrious panel. One by one as I asked them to give a five minute overview on the topic and their take on it. I would only do short BIOS and you and and their full BIOS will be available at all website and this event page www dot IGF that dg and this panel that we brought together really brings a lot of industry experience and guarantee isn't new and do justice to this topic. Cyber security in you know,

George Gobin

04:41

the first panel this that I've asked Carrie Ann Barrett and she'll have cameras on so we can all see her carry on is the CIO cybersecurity program officer. With the Organization of American States and her capacity, she offers technical assistance to

George Gobin

05:00

Member States in the development and implementation of the International assignment security strategies, as well as assistant implementation of various technical projects with the cyber security program. She's also an attorney at law with over 15 years of experience spanning over two you may contract and the legal addition to her legal professional experience. She has had appointments with the Ministry of National Security, Trade and Industry leave and small micro enterprise development, including legal consultant to the CARICOM Secretariat. And the ILO sub regional office for the Caribbean, Mrs. Merritt horns and Siri good and cybersecurity risk management, a Post Graduate Diploma in international arbitration, and a master in Business Administration, and B certification and legal frameworks or icds. This is Barrett expertise covers electronic commerce, Internet governance, cybersecurity, and more recent issues led to the development of the National Cybersecurity strategies for the Bahamas, Costa Rica, Dominica, Jamaica, Suriname, Dominican Republic, Colombia, Mexico and Peru in developing the National Cybersecurity firm prevalence. Good morning and welcome. Carry on, please proceed to give us your take on this topic and how we should be looking at going forward with this discussion.

Kerry-Ann Barrett

06:35

Gary, thanks so much, George. And Hello, everyone, and happy data privacy day. I think it's important to kind of bring attention to that since we're doing the topic of cyber and data privacy, so closely related. I'll try and have five minutes, I'll try and give you a total charge. I'll try and focus on what's happening in the Caribbean, at large, give you a more regional perspective, because we have very, very good speakers who will give you more specifics on some of the topics that we want to cover and Seibel. So one of the resources I wanted to share with everyone on the call is a 2020 report that we published recently with the IDB that covers cyber security risks progress and the way forward in Latin America and the Caribbean. And in that study, one of the things that we picked up in the region at large with cyber is that many of us have actually improved our cybersecurity, believe it or not, it may not seem as impactful as we would want it to be. But we at the regional level kind of cone some of the small progresses that our governments have made, for example, many have actually implemented national service security strategies. Some have improved our legal frameworks, and many of them have thought about, actually personal data protection.

Kerry-Ann Barrett

07:49

And not a thing that has happened in a region that we saw, though, is that more than three fourths of the countries that we have in the region, don't think about critical infrastructure protection. And for those on the call, who may not know, those are the assets of the country that God forbid something happens to them, the country pretty much vulnerable and at risk. And I think that we've kind of noticed in that report, which I wanted to bring to this panel is we've had a significant growth in countries thinking about cybersecurity and centralizing it into an entity. So many of them have actually established incident response teams. And that's actually a good thing as well. Trinidad Tobago has a very good one, and we have someone from that right here and Trinidad Tobago has been working closely with that oil on that and building their capacity. However, as George rightfully said that with COVID, everyone was thrown online, and cybersecurity while it was in the back burner. For many of us, it's no come too late that digital assets crisis management is something that we have to think about tangibly. In terms of statistics, I wanted to share some with you that we had, in particular between November and December in 2020, we did notice that in the Caribbean region, in particular, we had an increase in spike in spam, fraudulent spam targeting accounts throughout the Caribbean. Many of them were trying to make fatherland activities because we now have, believe it or not an increase in bitcoins in the region, there has been an increase of like almost 31,000 USD worth of bitcoins that kind of flooded into the market in our region. So many of the spam emails that we've detected, have the title Bitcoin money review, can you make $1,500 daily with this method, so they've been just targeting many of our citizens with that. And it just shows us that as much as we think the Caribbean is like a small speck in the grand scheme of things. We're not exempt from the dynamism and the ease in which persons are actually targeting our citizens. Many of them are getting social or economic events that happen in seconds. So they're using the pandemic to make malicious activities epidemic has become the way in for many of our citizens who are panicked about thinking about vaccines, clicking on any email that they see about vaccines, because everyone is so wanting this pandemic to be over. And social engineering is not something new to cybersecurity, but it has no gotten on the wider platform with a global pandemic. What we do want to stress that's positive, though, is that although many of our countries have suffered like large losses, because of the pandemic, in our tourism sector services, or SMEs, or commodity exports, we know that the impact is going to go beyond 2020. As we tried to recover from this, it's going to be a long road back. But what it also helps is that a lot of our governments have now started to think about cyber, we have countries such as Barbados, though developing their strategy, Guyana is developing their strategy, Jamaica is reviewing there's so there is an increase in awareness of the need to have this on the front burner and not on the back burner.

Kerry-Ann Barrett

11:04

It wasn't just in the Caribbean, it was Latin America, as well also suffered, we had a couple of instances of something called COVID lock that was gone through most of some of the Latin American countries where in a matter of seconds, it was targeting individuals and companies. And because persons actually feared the pandemic, when persons clicked on the link, there was a lot of hijacking. That happens a lot of ransomware came out of that COVID loc campaign that they did. Another quick thing because I only have a few minutes that I wanted to kind of stress as well is we're a small region. And because of that many of our parents, grandparents, guardians are in charge of our children. And with this thrust online and everyone going online, a lot of the parents still are not familiar with technology. And they still kind of fear it. And their way of addressing technology is to take it away from the kids and no, you can't get your phone. No, you can't get your iPad, no, you can go online. So one of the things I want to leave with us before we go into discussion is I want to implore us to kind of think about the fact that we are no online. There's no going back from this, our kids are no exposed to it, there is no locking them back in a box and telling them just to watch the TV. So I want to encourage you to discuss Internet safety and develop an online safety plan with your kids. For me, when I had to give my six year old a laptop for the first time, it freaked me out because I didn't intend for him to be online until he was like it. That was my grand plan. And it actually made him sign a contract with me, I wrote a contract. And I said, if anything suspicious happened online, what do you do tell mom, and he had to sign beside that lane. So just actually you may not you don't have to be you've know become a seaso as a, as a parent, as a guardian, as a grandmother, you're now the chief information security officer for your house. And as that person you may not have the technology, but I want you to encourage you just to review some of the apps that your kids are looking at. I check my YouTube, things that my kids watch all the time just to see what you're listening to simple rules. Don't watch adults. Any adult that says anything inappropriate, mommy wouldn't say to you, just tell mommy click it off. And the last thing I wanted to just share with you before I go is just to remember that your kids are suffering a lot of anxiety is right now as well. And online sometime is their only outlet, those who can't go to school and play with their kids who are still doing virtual wherever you are in the Caribbean. Some of them are still only doing virtual school. So think about the anxieties your kids are doing. And this is the human side to SIBO. And recognize that if you educate your kids appropriately, you'll have a better relationship with them virtually as well. So I'll stop there, just allow the other panelists and

George Gobin

13:49

good Thank you, Jerry, you brought up a very, very important, one very good and important point there especially around use of children using our technology and using it effectively and productively and securely. So we've all seen the recent Tick Tock issues that arise where people, our kids, our kids are trying all kinds of crazy things because they've been badgered or bullied to do things like that. So it's a very important thing and I hope you're able to drill down more into as we get into the panel discussions. Please feel free to add your questions in our chat. And we'll try to have them all answered before by the end of the session. I do have the assistance of another Tiki mug director Mr. Dilip Singh who will assist me in getting those questions responded to our next speakers Mr. anish virtue and issues as ICT security analyst Phil and Tobago cyber security incident response team and issues one Before the person that carry on yesterday, was talking about, as somebody who's already been doing this and representing Trinidad and Tobago, and it she's an experienced cyber security professional attached to the Trinidad and Tobago cyber security incident response team under the Ministry of National Security. He his duties vary from incident response vulnerability, threat monitoring to cyber security assessments of governments, systems and infrastructure. And it's graduated from St. John's University in New York with his BSc in cyber security systems and Master of Business Administration. He's also a member of the cyber security industry and advisory board that's in Johnston for the BSc and MSC program. I'm very proud, I'm very pleased to invite anish to come and say a few words is overview on the topic and where you would like to point in discussion.

Anish Bachu

16:04

All right, good morning, everyone.

Speaker 1

16:07

So as George mentioned, I'm an HBCU with the cyber security incident response team. And really, what I wanted to bring to the forefront today and look at is that COVID really changed how we do business. And almost overnight, it has changed the risk profile, the cyber risk profile of most organizations, right big or small. And we've been thrust into an area of remote working and having to put systems in place again, almost overnight, to be able to facilitate teleworking, and working from home. And with that brings a whole bunch of new systems and software that wouldn't typically be part of your typical it suite, you know, so in areas where you need to know set up VPN systems for secure access, some people don't set up VPN, they put Remote Desktop straight to the internet. You know, they use various applications, TeamViewer, anydesk, and so forth. Really, what I wanted to cover today is that we Internet tend to think that transmit was too small, for for hackers or threat actors to pay any attention to us. But that's not the case, it's actually very different. How these people make their money, how threat actors make their money is by compromising systems of mass stealing data at max. All right, and it's very easy to get roped into one of these big mass campaigns. So we're going to do now I just want to go through a couple of instances that we've seen over the course of 2022 relatively bring it home as to why organizations need take cybersecurity important big organizations, small ones, anything in between government and private sector. So one of the most prominent things we saw over over the entire year of 2020 was attacks against firewall and VPN devices. And it's something that we tracked very closely here the national sees it. So much so that we actually had to aleut multiple entities Indra and W about the fact that the firewall, the VPN appliance, was actually compromised. So just to give some statistics on that, from January 2020, to December 2020, there was 37, unique devices, I wouldn't call vendors, I wouldn't call any, any persons. But there were actually 33 different organizations with vulnerable VPN and firewall devices, right? Mainly because they were outdated. They they weren't kept up to the latest software upgrade, some of them will be because of security misconfigurations. So these are all things that we need to be on to secure a network. And an interest in fact, out of those 37 devices that will compromise 28 of them the credentials for 28 of them user credentials, which 28 of them ended up on the dark web on various forums. And also so those those 20 organizations, or actually all 37 of them had to really undergo really intensive security audits to go back now to see if anyone actually made it into the network and what did they do if they if they made it? And another big thing that we saw on not carry I mentioned earlier was was the incidence of spam We got a lot, we've gotten reports of a lot of extortion based spam emails, as well as a lot of Bitcoin based spam emails. And, you know, they they're basically trying to trick users, whether private users or users as a part of a company, to send out money scare them into sending out money. One extortion campaign that we got quite a few reports on, was the instance where the attacker claimed to have compromised and pictures of the victims. And true hacking a webcam and, and so forth. You know, so these are all events that happen on a daily basis, and we only see so try to track mitigate and respond to most of these instances, particularly for government and government entities when it happens within them. So it's very important to take the necessary actions to to

Speaker 1

21:03

protect ourselves, because it's something that happens. Sure that is not too small for anybody to do one day attack, because like I say, inflammation these days is power and information is money. And so, I mean, just a couple of things to leave you with. Before I turn over to the next panelist, is that one, pay very close attention to security. Don't Don't leave it as just an IT responsibility. Cyber Security is now a board responsibility. It's it's there have been cases in the US where board members have been held accountable, or CEOs have been held accountable for cybersecurity breaches, right. So this is this is a bonus You know, there's not you can't just relegated to the IT department. And you'll see they will handle it as a company wide issue. And just just about an hour before I hand over. We send out security advisory advisories here from the National CSUN if you'd like to be a part of our security advisories, go to our website, tt csirt.gov.tg. And if you scroll all the way down, it'll be an area to subscribe and you'll get security alerts from us and security advisories. Ga I'd like to hand it back over to you.

George Gobin

22:19

Thank you so much. edition, it's again brought up some very useful topics that we all need to be thinking about one of the things that I have learned and you know, you've been coming from a when a bringing my own experience to the table we've seen such an increase in in things like ransomware attacks on our businesses and and Bitcoin has become a word in a dictionary and if you ask any IT person or any internal audit person, whether the disaster recovery plans for the company organizations or affiliates, does it have a specific chapter or portion of it that's dedicated to cyber attacks. Typically the response that I get is are we thinking about it but it's not really physically there. We will treat it as we go. And if I you know, I want you guys to take one thing away from this panel today is please ensure that your disaster recovery plans which you spend a lot of time putting together. It's properly updated with the challenges after the which mainly are going to be cyber attacks. And they go welcome our next panelist who is Nicholas Antonio. Nicholas is the regional technical Engagement Manager for ICANN as the technical management manager for the lac region or Latin American Caribbean region. Nicholas joined ICANN in March 2020 is based in the Montevideo office in Uruguay. Nicolas is an engineer and graduated from the University in an era where I'm not going to try to pronounce the name of the university Nicholas Sparks he will tell us that in the field of telecommunications, electronics and power systems. He also studied engineering in Madrid, Spain Internet governance in a Diplo Foundation, as si G and usti, among others. For the last five years prior to joining ICANN, he was appointed as a senior advisor for the Uruguayan government minister in charge of National Telecommunications policy. During his appointment to this ministry, he is represented Uruguay and many regional and international organizations and treaties. In the past years. He has been working for the National telecommunications company and talent, different positions. He has been a university professor for over 14 years. He has also been working very closely with the Internet technical community. He's been a chair of Latinx public policy for

George Gobin

25:00

for over six years technical instructor at the lacnic events for many years as well as participating as an instructor in many other courses at the regional level. He participated from the community in the development of the DNS sec route signing protocol, and has been working as a TCR or test a trusted community representative for the DNS sec. rousse route signing process and keyman deeming protocol, is also a founding member of lac Namo, the Latin American and Caribbean Network Operations Group. Welcome, Nicholas this morning, all the way from Uruguay. And thank you so very much for accepting our invitation. And bringing your representation to this panel. Nicholas sarios Hi,

Nicolas Antoniello

25:53

hi. Thanks. Thanks very much, George. And

Speaker 2

25:57

good morning. Everybody. I would like to, to invest these five minutes in in in in some highlights or some some some comments. The the absurdity of these comments is just to you know, to kind of provoke some reflections discussion, exchange of ideas and, and maybe some questions that hopefully, we can enjoy and not I don't know if answer completely answer, but at least to to to address some some concerns of this, this important topic. First, I'd like to talk a little bit on on on the threats involving the DNS, specifically, not the ones that that are against the domain name system itself, but the ones that use the domain name system, as I mean, to perform some kind of some kind of attack or cyber crime. As you may know, the most common types of cyber crime involve either what is called phishing, which is, you know, the fraudulent practice of kind of sending emails pretending to be from reputable companies in order to in this, us, you know, the users individuals to reveal some of our personal information like passwords, credit card numbers, bank account numbers, etc. So that's, that's the fishing and, and that kind of always start with that with an email as as Carrie was mentioning, was referring to at the beginning and Anisha also referred to a lot of this attack, attack means or attack vectors. Then there is the malware, the malware is the software software basically. So for that, let's see specifically designed to disrupt or damage or either gain access to some, at some level to another, I said it I mean, it's unauthorized access, of course, to a computer system like this, this involve the so called ransomware keyloggers, rude gig rootkits sorry, viruses, all the all the cyber stuff that you already know. And then there are the botnets the walnuts are a network of private computers, let's say that are infected with malicious software and controllers. Without the owner without without our knowledge, I mean, it is like accessing our computers without our knowledge and making them making our our our devices work in join to perform an attack for cybercrime to a third person. So threats make use of the fact that everyone used the domain name system we all use the domain name system to translate from the domain names, which is a friendly way of referring to websites and almost any device accessible public publicly accessible device on the on the internet, the DNS translates those names to IP addresses basically. So we'll use it and these threads make use of that fact. Yeah, to do perform some cybercrime and so on so or some some threat those threats involve for example, if you disrupt the DNS, then you disrupt merchant merchant trans transactions, government services, social networks, etc your work you almost disrupt the whole internet if you if you gain access to a certain level of have to the domain name system. If you exploit the DNS you can trick the frog or deceive users. Most common vectors of exploiting you know, include malicious registering domain names, hijacking memory solutions, or registration services, corrupting DNS data etc. Some of the most common attacks that make use of the of the DNS system are what is called disruptive reflection and amplification that is normally to spoof the source IP address of

Speaker 2

30:16

a user, for example, and, or a website server or wherever you want to, you know, to make a denial of service and throw that device a lot of traffic as much as possible, so that that device can manage that traffic and stop providing the service that is meant to to provide, then another kind of attack is what we call resource depletion, resource depletion is more or less the same is to, you know, to consume or try to consume all the resources of some service device and and and, and make the device the working cache, what do we call cache poisoning, which is to kind of add the resolver or the DNS resolver level, they change the registry, they make it, they make our DNS resolver. Answer the user with the wrong IP for a certain domain name, for example, I want to go to my bank account, I type www my, my bank.com, for example, and the DNS system will, you know, solve that translation and give it an answer to me? And the answer is if the cache poisoning was performance was successful, what the answer right when I get the IP address I'm going to get for my one won't be the correct address, it will be a fake address with a site that it appears exactly the same as the original one. And I will be you know, given the password and my my username for for my bank account to a to an attacker, then another kind of attack is changing the user, the resolvers that they would we use that involves normally using some kind of malware to infect my computer and change the way my computer behaves. And point. When I went to a certain web page, for example, it will route to a fake web page, again, to get some information data or whatever the attacker wants to, to, to be able to do. Using the DNS as a core activation channel, there are techniques that make use of the DNS traffic to embed data, and to be able to extract that data from a certain user computer or organization computer. why they do that, why they hide the data in the DNS traffic because that way, they can bypass the firewalls and other security measures, if they are successful in in hiding the data. When the computer sends a DNS query inside the query, it goes the my data. So that is another kind of attack, another kind of attack is to use that is more or less the same. But the other way from the one that I just explained is to use the DNSSEC over my word channel, that is to command I installed my word into a computer and use the DNS answers in this case, to hide comments and to send comments to the malware to be able to for the malware to attack a third, a third party or whatever, exploiting ideas, which is internationalized domain names can be exploited in a way that point users to attackers sites, exploiting all IoT, and in general, any domestic or device infrastructure. So from from, from user location to effective, there are many, there are mainly two scenarios here. I think the the enterprise one and the domestic one. And I think the main problem, I don't know if problem is not probably the best word because it's not a problem, per se, but it can lead to issues and problems. That is one of the main problems. Is that from a cyber security point of view is that the so called New Normal, you know, has exchanged the former I mean, the working from the office to working from home.

Speaker 2

34:24

So what can we do with that? Or what can we do to better or to be kind of the most the more protective we can. I think the first thing to do is educate. I think the second thing to do is to educate and the third thing to do with what is educate also. So we have to educate people because we're educating ourselves. We have to take care, take extra care, we're using our domestic infrastructure because we are not under the protection of our IT team which protects our company in our house. We are the IT team. So we To protect our infrastructure, or at least we have to learn and be educated to, to learn, what are the threats that we are exposed to and try to mitigate them provide tools to organizations and to users to be more and more aware of what's happening inside and outside their networks. Of course, this will rise some privacy versus security considerations, AV taking care of authorizations, registrations, password management, how we manage our passwords, how we do and dedication, do we use two factor authentication as much as possible, please try not to use the SMS as a means to send the second the second the two factor authentication and I have if I if I use software in a regular basis, I have to have it you know, updated. So patch your software, update your software, because normally, the companies that produce software, try to update it so as to you know, mitigate all the threats and all this stuff. So in summary, what I tried to say is, I think we have to be proactive instead of reactive. We have we don't have to run away when some issue arises, but to take care of it in an informal and and responsible and responsible way. I mean, we will still we will still use internet, more and more and more and after this. But pandemic did so called a new normal involves using more and more internet every day as Carrie also mentions. So that is my daughter, my reflections and I hope that you know inspire you to give some reflections some comments, some some questions. Back to you, George.

George Gobin

36:51

Good, thank you, Nicholas. And really a good technical overview on all the things that we need to be aware of and how we progress. I love your your trip prime. The three points that you brought up about the way to solve this problem is really one indication to education and free education. I think that says that. We need to go forward. Our final presenter our final presenter on a panel today is Miss Dr. Rajendra Singh is a system engineer from network security at UC Santa gusting

George Gobin

37:26

up the ceiling or Rogers will call him for this session, who has a PhD in computer science for the past 16 years to currently, he has defined and held the role for network security at the University of the West and East San Agustin campus. He has a very broad set of training and experience in cybersecurity welding as well. Several globally recognized technical and leadership, cybersecurity certifications. Raj has implemented a wide range of innovative solutions for the university, mostly with minimal two or little very little resources and saying the latest one, leveraging a vendors VPN feature to achieve zero costs a two factor deployment with Sef password resets for close to 2700 staff working under the new normal at the University of the West Indies. Raj, welcome. Thank you very much for participating and handing over to you now.

Dr. Rajendra Singh

38:29

Thank you, George. Good morning, everyone.

Unknown Speaker

38:34

Speaker 3

38:35

by me being last year, more or less could be the full gambit of cyber security that can be discussed in a forum like this. I have an article here, which kind of summarize where the new normal is. This article basically said that 95% of organizations have responded to the survey saying that you first thing that they have to do is change your cybersecurity strategy. Right? Ie biggest problem they have is enabling remote work at large scale. And as Nicholas mentioned, education, education, education for your employees, network security and Threat Prevention, those needs to be improved. And it's probably rated up like number four endpoint on mobile security probably go hand in hand with your remote work, because it's either you deploy these endpoints and mobile devices which your organization would normally handle, what do they employ, or you do bring your own device in those cases, carry on started orphans. Welcome, and happy data privacy D. So one of our challenges when you have bring your own device, or an even providing a device? How do you protect that person's personal information? When it is at home, let's say using your own device only, a lot of employees do not want to use their own device because they think that you are going to be able to retrieve some of their personal information. And similarly, if you give them a device to take at home, devices connected to the network, right, so how do you protect that privacy, it's always a challenge for us. We use, we tend to go with some sort of client manage that endpoint. And it remains one of our biggest challenge at university, when we ask you to bring your own device or if you give you a device, and and some people even challenge, a two factor authentication using an app. Why? Why should I use my personal phone? Right? So so that's just the tip of the iceberg. But it's a recurring problem that we having he, if I go down the list here, rapid adoption of cloud technology is one of these strategy that we forced into, at the university, one of the very first things that we did when this pandemic started, and you had locked on us to move away elearning platform to the cloud. Most of our services are in our data center. This, we had to consider the volume of students close to 20,000 students accessing these services online. So that was what we call her rapid deployment to the cloud. Luckily, we were able to outsource that, and do some back end connectivity for the authentication and so on. And the last one probably is unplanned intervention. Sorry, unplanned reinvention to cybersecurity business models. So this is ongoing, we have to keep relooking at the cyber security model. In our case, we don't even have a cyber security team. Every week for the past 16 years. It is noted that I have led that area for the for the campus, but I have no staff. And this is a challenge that many are no permanently assigned staff. Mr. Chairman, many organizations, they don't have budget and they do have resource for the normal IT operations much less for cybersecurity. But with this new normal, I think it is bringing to the forefront. It is absolutely necessary first budget and put resource in this area. Otherwise, you're gonna flop. We the earlier panelists spoke about the digital transformation taking place. As part of that digital transformation, ensure you have a budget and a structure, a governance structure for that will include cybersecurity. Right.

Speaker 3

43:20

So overall, what we need to do, as well, being from academia, I would say we need to build capacity. At the University of West Indies, we have no degree program that is focused strictly on cyber security. So a lot of the are in businesses that need to build that capacity. usually have the employees doing certification forces, or foreign forces, we need to build that capacity locally. And in the Caribbean. I've had some association with the csudh to Antigua, csudh. And somebody training that he had done a carry on spoke about. It was a two week intensive training program and University of Leon in Spain. And that when you when you go down, you look at NCB that as the locals is it in Spain, and you see how they're set up? We we ask ourselves, why can't we reach that point? Just with the csudh. But since 2012, and as Maria said in the last panel discussion, we waiting years and years and years to establish some of these legislation by the time you establish it oh detail. So where is he not turned on Tobago cyber security agency that that bill went to Parliament or from a paper came from inter ministerial committee since 2012. It went to Parliament and lapsed. We need to actually step up in those areas so that we could have this joint collaboration and this capacity building, we shouldn't just rely, for example, on the national csudh, we should have a hierarchical set of C sets, within business groups within academia. Within the banking industry, we call it a different focus in these areas. And that feeds into the C suite and back down. So overall, I just mentioned a few of these things categorize where is the new normal to see the discussion which my colleagues carry on, Aneesh and Nicholas already went into some detail into Thank you.

George Gobin

45:44

Thank you very much, Raj, for bringing that experience with academia. And I want to stress again, the purpose of putting this panel together with this level of expertise was to really give you that style, that type of insight into all of the fields that we should all be concerned about academia, private sector, public sector, and personnel usage of computers. When I was growing up many years ago, I heard this metric been talked about back then 50% of customer of computer users have been hacked. And the other 50% still don't know that they have been hacked. So I want to kick this off with a question to back to Carrie, when she started the discussion I carry, you know, how much of a threat is cybersecurity in our in our region. And globally, I know you started talking about cyber security in our region when we are such a global players now in terms of vendors that we deal with other countries that we have relationships with, I want you to try the cybersecurity in our region and global carry.

Kerry-Ann Barrett

46:56

Um, I think you could probably take it from even as much as we don't talk about some of the karakum approaches as we should. If you think about the fact that all the way back in 20, I would say probably 2014 2013 CARICOM heads of government had actually teared cybercrime as like a tier one threat it was it's actually been on our agenda for years. Now, it's not something that hasn't been considered a tier one threat. And it's a lot of it is as a result of, as you said, it's lack of knowledge. It's not recognizing that once you're connected to the internet, you're vulnerable. It's not a matter if it's when and one of the things that we promote, it's not a matter of being fearful. It's like knowing that if you drive on the streets, you could have an accident. But it doesn't mean that you stop driving. It just means that you do the precautions you put on your seatbelt. Just in case of an accident, you make sure that you keep your eyes on the road, you use it indicators. So I think thinking about cybersecurity through those lenses is not a matter of cybersecurity being a threat, but it's more how can we put best practices in place so that if something happens, the impact is mitigated as best as possible. I think that's the perspective I'd want to throw instead. Okay,

George Gobin

48:10

good. I'm heading a little more into some of the areas of technical background and maybe an issue could give us a feel for this. When I look at the Gartner statistics on, you know, where people are being cyber attacked and what their metrics are. Gartner says that, you know, RDP compromise is about 50% of 57% of the cyber attacks that happen, email efficient various forms of email phishing, about 26%. comes from Latin, other malware viruses and stuff like that. 16%. So it seems that efficient, RDP compromise, and time releases of malware seems to be the highest or the most profitable, most consistent, most found, how would you recommend to our audience how they handle these three things, phishing RDP compromised? Time releases of money? And if

Speaker 1

49:09

so, just to give some statistics about those instances? Before I answer the question, as of this morning, I checked the record this morning. And as of this morning, they have 202, exposed RDP systems, and it turned out and Tobago IP speaks right as 202 different machines with a direct line of communication from the outside, that attackers can potentially take advantage of. So there was actually an increase in that from the beginner right before COVID into now about 17% and the number of one rdps that we've seen in China and Tobago space. Now in the case of protected in this sense, right? That the general rule of thumb is that unless absolutely necessary, and that there's no other physical way possible, remote desktop protocol shouldn't be exposed directly to the internet. You access it through a VPN. So you have the persons who would need access to the service or the device. We will have the VPN securely VPN into the network first, and then they can move from the into RDP and into remote desktop and into whatever device they need to get into. In the context of phishing, right? It's really centered our own user education, right Cybersecurity Awareness.

Unknown Speaker

50:41

Because

Speaker 1

50:42

no matter how many spam filters and security measures that we do, there's still the instance, there's still many instances where phishing emails get true. So really, you're relying on your staff at that point, you're relying on your workers, you're relying on the people of your organization to identify what a phishing email is, and in order to do that any train and to do so and, and George was the last point,

George Gobin

51:08

it was time releases of malware where malware is getting into your system, but it doesn't become activated until three months, six months later. So all the things that are coming to your system don't get activated for a while. And people will have been getting away from cyber attacks, because they feel that they have backups. But what happens is that the malware is affecting the backups. So you can go back three months, six months, one year and still have your backups meaning affected in modeling. The most recent example of this is something that we've seen called the sneak ransomware, that actually goes back one year before it gets activated. So you may think that you're safe, but your backups are not.

Speaker 1

51:51

So so so instances like that. And we have seen a handful of cases in Trinidad, where the backups also infected, you know, you you get a ransomware attack, or you get some sort of attack on the front end, and you go to restore your data and your your backup data is also compromised that extent. Right? So so in instances like this, it really goes towards How do you backup your data? Right? backing it up and leverage. So is not you need to monitor what you backup you need to do on your antivirus checks on your backups. Right? You know, and you also need to make sure that they work right, ever so often, right? You need to make sure that your backups when you do go for them, right in the unfortunate circumstance where you have to go for it. Right. You know, there was one instance where they put the backup in any backup was corrupted, right? So we need to look at identifying these things on the network. Well, in the backups first, after and from a network perspective, or from a host based perspective, right? Make sure you have up to date antivirus, make sure you have up to date network security systems, in that when these when these malware do get activated later down the line, whereas a month a week, you know, two, three years down the line, you have your updated up to date system that will be able to identify track and mitigated on the spot. And then somebody there who's dedicated to respond.

George Gobin

53:25

Okay, good. So, you know, as the world moves away, we feel we've had lots of attacks on the RDP space. And we've had everybody recommends he should be using VPN and using RDP for internal log ons and all kinds of stuff. And a new topic seems to be around identity management. The weakest link in any security chain is the end user, we all know that they are the people who will click a link or you can print it on their foreign foreheads. Do not click that link given look suspicious. Do not open an attachment. So we're all familiar with how do we get that but where do you guys think that we should be going next in terms of how do we identify correctly either to single sign on to multi factor authentication protocols? Where is the one heading because you know the, as much from my point of view, it's much easier for a hacker to go after your your password and your credentials into a system rather than trying to hack your network firewall appliance or your because they are putting in too much security, you know, and remember they said this is a $20 billion industry. The hackers are putting one maximum gain for these efforts. So they're going to issue million emails a day and if they get two or 3% responses and compromise your passwords. That's that's a good payback for them. I was reading an issue on the Your password and your internet and your email address sells for about 15 US dollars on the dark web. Don't ask me how I got that information, please. So, Nicolas, Raj, can you talk to us a bit about identity management and where we need to go? As organizations as you know, people, how do we manage this whole process and raise the level of security awareness? Nicholas, so Raj, any one of you guys,

Speaker 2

55:33

rush If you want, I can, I can jump in and then rush, interrupt me, any rush, interrupt me, whatever you you, you want to make comments, or I think that that thinks things have changed. Not a lot, but significantly, when when we mainly not because of the, of the, I mean, of course of because of the pandemic, but in from a cybersecurity perspective, they have changes in the way we deal with with everyday work. And with our our everyday social development, i what i mean with this is that we still access a lot of sites and places using the internet that need for identity, there are many resources that we access that doesn't need for or don't need for us to out at the gate. So my first reflection will be or advice will be, okay. Only use authentication when you need it, when you really need it, I mean, don't provide your information for when it's not needed. Because that that's that's high, that will will will make more risky that your your your activity, then in the case is that you need to provide authentication and personal information or whatever, for example, accessing bank accounts that we do it in a daily basis to pay for our expenses, and a lot of a lot of stuff, we are, you know, moving from buying in person to buying online, like massively moving to, to online, you know, buy in and exchange of goods. And, and, of course, you will need to authenticate yourself and you need some kind of identity. So, in those cases, just, I mean, it's kind of difficult to, to tell or to mention, a secret receipt, to avoid being being you know, being the target of a threat. But what I should say that you, you are the ones we are the ones that know, which is normal, and which is not normal. We, I think we have to educate ourselves, we have to read, but we have to take a I mean, to bring the attention that we have to educate our children also, because now they are more, they are more and more using the internet and using some, in a way they they didn't they didn't probably they didn't use it before. I mean, it's it's massively and they don't know about what is fishing, what is and they they are authenticating were accessing their school resources, they out educating when when when watching, you know, streaming cartoons or whatever they watch on on streaming services, and they need to know what is normal, and what is not normal. And they need to know what to do in case they find something that they that looks like, no normal. So that that that that will be my first my first recommendation to do to try to educate yourself on your family. About about this, this new way of you know, of leaving, let's say, and and the other thing is that I again, as I mentioned before, you have to take care of your own infrastructure, you have to you know, update your your, your your systems, your obligations, you have to use strong passwords, don't use, you know, root slash root or password bar slash password 123. And if they say, they asked me to change the password once a month, don't use password one, password two, password three, you know, use something more complicated. Maybe use some password Admin app, there are a lot of apps to admin passwords. So you can generate a quite strong and strange password and store it there. So you have to Don't you know, remember because passwords that we have to remember, are always easy passwords, because we can't remember complicated stuff. So if I generate a random number or character string, I have to store it somewhere write it down. You can even write it down. I know you're not in place that not behind your screen, you know, no, you're just on your desk when nobody can see for you. So you, you do this, okay? You type it at that. That's okay.

Speaker 3

01:00:09

Nicholas, just interject your you said that I can. Thank you. So in terms of the passwords, what I want to ask is how many for our listeners, viewers use two factor authentication on their Gmail account. Right? Do you know you have that facility and this is where we have a lot of challenges, the average non tech user do not go through the process to set up a two factor unless of course they get from 01 or one over by two is less email me as I will see strengthen your security by Stephanopoulos two factor and then they will go through the process. But it has been shown mathematically that a complex password is not as good as a long password, we will have what it is will will come into our organization, they will go through usual scripts, and it will have a checklist Do you use complex passwords Do you have expiry of 90 days or so on. And those things? It is in this in this standards that are not necessarily recommended that you do do that where you should head is with a proper two factor. And once you do that, if I get your password, I know your username, I get your password, that second factor, which is actually personally on you, it's more difficult for that attacker to get to actually complete the authentication process. And we do have some banks in Trinidad where you have, for example, a matrix card that is a two factor. You have it on you what were the type of cameras have been pointed out to someone before you hold it in your hand, ie a camera, I could pick that up, what 100 Exu cameras now I do those bank customers, what some of them I experienced in is they have to secure that particular card from the families as well. And and that's why your tread is sometimes when it comes to finance, managing your personal finance, we have, we have better to factor in that. That is across the base ruling code, which some of the other bands are employing. So as an organization, when you choose to factor, you have different strengths that you could look at different levels. Now I'm not at any bank that has the the matrix guard because you can supplement that with additional things which they do, by the way. So you have email alerts that follow through when you log in occurs. Right. So you have to balance that the cost and implementing it. So the question was you have free two factor free Gmail? Do you use it? And why don't you use it? The challenge is always that human factor to set it up to get it set up.

Unknown Speaker

01:03:23

The

Speaker 3

01:03:26

we we experienced at university purchase in a two factor solution for our VPN. It was in the early days, it was costly, it actually had an annual fee attached, then, I think that was like about five, six years ago. And we move to another solution not just a one time fee, yet it's it's too much of a token about 2700 staff to give a two factor solution of costing each token about 300 tt right. So we had to innovate when this pandemic started, we actually had just under 200 models to factor tokens rollout. And we hardly went to the vendor and x, y, z course comm you get 200 more. But one of the other things that we realized, well, this vendor was running an education program and I happen to jump in on it. And I discovered that they had a free two factor or it in a sense it existed it was the email two factor. So within a few days, we actually was able to implement the email two factor. And basically we split our VPN into the three technologies to balance the load. We had what we call the IPsec VPN, really strong two factor which is which was based on the the app and the rule in COVID. Then we We had what we call the SSL VPN. And the reason you went with this IPsec. And as an SSL, again, we reached out to a roadblock, where you had to educate users how to set up the client, the IPsec client more difficult to set up than the SSL client. So client was a simpler configuration, we actually branded it over on boys and brought it VPN light. It took like less than a minute to set that up. And we tagged on the email two factor on that. One. So once we do something like that, now you split it out, right into a category A user seat. So you don't have to reclassify your online users, you have to see what services they require, where they located, what devices they're using and reclassified. As a matter of fact, there is a a gardener report. It's published yet in June is the title is designing security for remote workforce enterprises. And what that report is telling you is yes, you do all these short gap things. Right. But you have to look at the long medium and the long term solution. And the question wanted summary questions, they pose their SVP and led way to go. Right? Is that going to be your long term solution? Or are you going to be looking more at cloud services? So identity is, if I come back to the question, your identity is tied in back is something you need this short gap solutions. And what you have to look long term. And what I've been seeing as well is that a lot of identity management is being built into applications. For example, Microsoft, office 365. For mania, you have your two factor ruled out with Officer 65. We had to struggle to get that rule out again, we bombed the education aspect of it for the user. Right? How do you communicate that and get the user to use it. And even enforce that at times, we have 20,000 students, we have them on the 365 platform. It's not possible for us to do and only two factor for them.

Unknown Speaker

01:07:17

Speaker 3

01:07:18

when you speak about phishing or Wireshark, you can actually block a stop a lot of fish are in that way. Because when I see stuff, yes, they get your password when they cannot go further. Right. So it is it is one of the most overlooked area, you have to factor your VPN, or to stop some of these threats. But also look at it long term when you move to the cloud. Also think about Porter's five forces model. When you when you go and you and you start using some of these applications, and you paying for it and you get tied in that how easy it for you to move to another solution. A lot of businesses get trapped like that a lot of times, and I will constantly keep that in the forefront, the five forces model. Where is your bargaining power? That's where the five forces model, you keep the bargaining power on your table as much as possible. Right, it will be

George Gobin

01:08:19

because we coming down to the close of our time. I wanted to hold that point, because I'm seeing some questions coming up on the chat that might be related for you to give some explanations around. I do absolutely agree that, you know, the multi factor authentication is something I've seen in AP professionals. We try to insist that we do that in our companies, but we don't take it on personally and a lot of us don't practice good, good multi factor authentication processes for our own devices, our own personal email addresses. We don't. So I'm going to because I want to get everybody a chance. I've seen lots of questions coming in and tanks, addition and carry on for posting links on the chat for things that you've been talking about, and very much appreciated. I definitely love seeing Singh. Do we have any issues that have come up on the chat that you'd like to bring your attention?

Speaker 4

01:09:21

Ah, Hi, everyone. My name is Steven Alexey, just confirming you're hearing me. Yes. Okay. Yes, sir. There's been a lot of discussion in the chat was sharing of resources of cybersecurity resources and so forth. But the two questions have emerged. One is from Suzanne Andrews, and she said she asks, a lot of us are experiencing Carnival to banker and there are now several paid virtual events being advertised. So which body monitors and regulates online payment systems and online financial transactions in Trinidad and Tobago? In other words, it is Carnival related fraud occurring to which bar Does the public report? That's the first question. should I

George Gobin

01:10:05

know? Let's take that first question. I'm not sure. I'm sure.

Unknown Speaker

01:10:11

Carrie.

Speaker 1

01:10:13

So, um, I'll take it first. So when you look at the security of these systems, they generally have, I believe there's some sort of accountability to the central bank. When it comes to the security of financial transactions online, when it comes to the security of government online payment systems, the train and Tobago cybersecurity Incident Response Team, we handle those assessments here. When it comes to let's say there is an incident or breach of information or breach of data, we will be looking at the bago Police Service cybercrime unit and the front squad in HTTPS.

George Gobin

01:11:01

Okay, good. Any one of my panelists has anything else to add on this particular question?

Kerry-Ann Barrett

01:11:06

Yeah, I just think I would just add to that a part of it also is to kind of be smart, where the links are coming from,

Unknown Speaker

01:11:11

um,

Kerry-Ann Barrett

01:11:12

one of the things that Raj can alluded to in terms of the user, a part of the process is the users kind of the critical factor, no matter how much firewalls you put on VPN, you're most vulnerable in is the end user at the end of the day. So even if you are purchasing something online, or anything like that, one of the things I always do is to double check back onto the original website. And as always do some amount of investigation, it doesn't have to be anything technical, just use those, just being a user just kind of just double check in the links. What I spoke about there is electronic transactions legislation in Trinidad that protects those electronic transactions, and they are accountable. So I think just doing some due diligence, as well helps, oftentimes, I get links to process payments. And before I put my credit card information in, I kind of double check the link. And I'm not technical, I'm a policy person, but I tried to make sure the link is coming from the authenticated site itself. So that's also a good way to think about it, just from the practical side.

Speaker 1

01:12:12

A very nice way to actually check to see if your link is legitimate, is that try just googling it. If you could find a link to Google, and I'm going to do website, then you know, you're pretty much in a better standpoint, you know, than just clicking on the link off of the email. But

Speaker 2

01:12:30

also, also George, I want one thing that I'm thinking of is, one thing that could help is that maybe some of us at least, it's not something that I did in the past a lot is to make they make us you know, the habit of, of at least I don't know, once a week, for example, to have a look at our, you know, expenses, charged to our credit cards, and our debit cards, because I use a debit card everyday desk, or, or even more times a day, and and you know, small chairs can be made, and a lot of money can be righted through stealing small churches. So it's a good thing or a good habit to, you know, take like half an hour once a week, and have a look at my expenses and see if I if I if there's something that is not, you know, normal there, and just, you know, call the correct desk or grower office to rise My my, my, of course, the bank would be one of the first resources but but then there are, you know, you know, from, you know, consumer protection, bodies, etc, we can go and see, but if you don't know what's happening, you cannot take any action. So the first thing, I think it's always to know what's going on and to know what I'm exposed to know, because we also normally talk about cyber security and protecting the system. Nobody The ultimate goal is to protect the people behind those systems, because I don't care if my phone crashes. I mean, you're gonna be sad because I I have to buy another one. And it's expensive. But anyway, it's a phone. The problem is when the people is impacted, and how we are we are impacted by those tests. So we have to make sure we know what's going on. For VA, for you need to be be able to act after that.

George Gobin

01:14:19

Thank you. I think it's coming back to that point of personal responsibility for those kinds of actions. Deb, is there any other question waiting for us respond?

Speaker 4

01:14:29

Yes. Thank you, George, this is the end. So do we have a question from conditional recognizing how feasible would it be to make it mandatory that organizations be associated, or at least employ a cyber response team?

George Gobin

01:14:48

The question is open to the panel.

Kerry-Ann Barrett

01:14:55

Just from the practical standpoint, because I'm among technician, so it's always hard for me to speak when I have all These smart people with me. I'm just a policy person. But think about it more not in terms of cyber response team, but to make sure that you have a cyber security response role within your organization. We always give those practical things to our member states, because I think people think of team and then it automatically start thinking about a large budget. And then once people start thinking about the budget, they get intimidated, and then they just scrap the idea altogether. So what we always suggest is start small and think about Do I have someone who is my information security person, the role is assigned either to your IT person or you're hiring somebody for that. But think about the role to make sure that somebody is actually checking in network someone is actually responsible for coordinating your, your policies, all your users within your organization to know who to call if they have an incident. And then when you once you kind of build up that experience within your organization, you can then start to make a case to your CEO or your manager that, hey, this role is substantive, I need a budget line. And when you get the budget line, you may be able to hire person. So kind of think small, because I saw in the chat persons talk about SMEs, and that's always the issue, we think big. And we always think this incident response team needs to have fancy screens on the wall, they need to have a million technologies, but all they really need is an open source ticket system, someone can call them report an incident, someone is accountable to follow what the issue was and have some resolve. So think about it more practically. That's just my take on it. The technical people on here, which are the smarter people can probably give you a better idea. But we always try to think about roles rather than just having a team because that's usually intimidated.

Speaker 3

01:16:47

I would just want to add with what carry to carry on just said if you do want to go all the way and have a budget and set up a third Incident Response Team, there is the RFC 2350 which is probably the easiest RFC you will find and can read in English to make sense. You could actually use that to guide you or to set up your your suit and actually come up with our initial budget and probably have a plan and to scale it as as time goes. So look for that RFC 2350.

George Gobin

01:17:28

Rogers that um, you know, for SMEs or small and medium. They probably don't know what an RFC is. And it probably is not. It's way beyond their capability of thinking.

Speaker 3

01:17:41

Whiting's, I said George is a dice simplest RFC, you can find easy to read, it's an English. I think Aneesh would support me on that.

Unknown Speaker

01:17:51

It's one of the easier ones definitely

George Gobin

01:17:54

on fried chicken and chips, I'm, that's not my forte, it's not my, my strength. I'm dependent on one person or one of the half persons that are in my employed at managing it, that has a million tasks to do at the end of the day. So I'm trying to get a feel for how do we elevate the importance of this subject? For people whose core core business is not it and security? How do we get that message to them? Sure,

Speaker 2

01:18:27

I think that to add to what Karen said at the beginning, we I would add to, to that we have a I would say that we also have a cybersecurity role within our family now, I mean, this has changed again. So we are all our own cybersecurity team in the past. We didn't care about cybersecurity, maybe maybe we some of us care because it's part of our job but not because on Sunday, we will read about cybersecurity, maybe I read a novel but not about cybersecurity. So I will say Take your time or a little time at least to know what is going on out there to be able to act because sometimes there's a common said there that says you don't have to, I mean, sometimes it's better not to know how to solve something, but to have the number of the one that knows how to solve it, but to call it that, that that one person, you have to know what's going on. So they can say okay, I should go this. So inform it be informed you are your own urine. We are on our own at certain level now, but you know, okay,

Speaker 1

01:19:35

so just just to add my take on it, I'm particularly for small organizations. The C suite is here, if you need advice, if you need direction, you know, so feel free to reach out to your website or email. And you know, we can more than help you you know, dependent on resources, of course. In a way, it's still like government entities, the resources are strapped. But you know, we'll do our best to guide you in the right direction. And you know, how much of a collaboration is needed, we could work with it from there.

George Gobin

01:20:13

So actually, my point of view is that that's where the responsibility and the accountability should really exist. Because the government at the end of the day is the one that should be challenged and should be the one that has the budget to understand the importance of having this access for its citizens. We can't obviously all set up CCS in our organizations, but there should be that central governing body. And do we have any more questions on the web that we need to respond to?

Speaker 4

01:20:39

There's another question from Luke. Sorry, David, I'm here speaking. And the question is, when we consider the future of digitalization in the Caribbean, what are the expectations of the it fraternity in terms of CARICOM involvement are the key stakeholder as a group in making things move faster?

George Gobin

01:21:03

I'm going to skip that conversation of because as some of you know, who have been had other conversations or attended our other seminars, we've been speaking about something called the Caribbean Data Protection Act for the Caribbean really model against the GDPR. And we've been trying to bring this and the best way to bring this up with the CARICOM governments. And just like everything else, it depends on where they see as priorities of getting important legislation like this enough. And for those of you want more information on that, you know, please feel free to visit IGF TT to see the last discussion that we've had on this. Back in November, I think it was when we had a major discussion on cdpr. But you have to be honest, we don't have the the outlet to get it to the carry come and more and more importantly, get that decision to be to be made at the highest level. And this is important enough to have to make a decision and leave it open to anybody else who's on a panel to give their input on it.

Speaker 3

01:22:12

I think that if you go back and look at the inter ministerial report to set up the cyber security agency for Trinidad Tobago, one of the line items in that report speaks about as when you set up your csudh you even set it up in such a way that you will have collaboration lines with Odyssey sets what vocally what more so regionally and internationally. Because Because you're really on a on the internet, which is a global network, you cannot really protect yourself from incident in isolation, you have to collaborate. And this is where I mentioned in the earlier any discussion that the US was involved and assistant with building capacity with Trinidad and an academia and building up build up building a network out regionally. It they actually involve all US countries. So of course, did you do that? Based on your own? networking? I don't know. The question was more towards having a more formal curriculum body for overseeing something like that. I know our Prime Minister sits on on the CARICOM chairs, I think the Security Committee their cybersecurity committee. So there's something probably we need to take forward and see if one of these days we get the csh anatomy CSA set up soon. Or do we have that collaboration, at least not just that he sees it but the higher level government and higher levels at the national level in different areas of cybersecurity. We have to

George Gobin

01:24:09

make a note that Rogers advertise that we send a WhatsApp to Docker only to agenda. Somebody else had a comment.

Speaker 1

01:24:19

Right. So when you look at cybersecurity as a CARICOM level, we do collaborate with with some of the other c certs in CARICOM. When it looks at policies are security policy across CARICOM, that's handled usually by CARICOM impacts. They have a cybersecurity group inside there that tries to coordinate and that level in the case of all locals is how we get information to and from is actually true to us through a network policies that America has, where we have a direct line of resistance on the side of the hemisphere, you know, a very easy way for us to share information and receive information about threats and activity and, and the like. Right.

Speaker 2

01:25:08

So one comment on that is that there are, there is also some something that some I mean, all governments may do, which is to, for example, to publish or make it make it available to the public good practices, I mean, not only to the domestic side, but to do ISVs, for example, Internet service providers and organizations there are there are a lot of protocols that may be deployed to be I mean, that, that protect the users and then it works from from different kinds of threats or cyber cyber attacks, that there are yet there's a lot to do in that in that field. And that one role of the government is to, you know, to promote that to, you know, invite all the organizations or the internet service providers to deploy those protocols to be able to be more, you know, secure and protected, and protected. Okay, for a technical and network perspective. Good.

Kerry-Ann Barrett

01:26:05

And just to wrap up that point. I think Just to follow on from Nicholas and Aneesh is one of the things we've been focused on other oils is capacity building. So for the rest of the year, we've been encouraging our certs to reach out to some of their constituents when we do have free open training. So at least not just members of the cert, but other certs within the country that they work with to be part of the training because a national network is only as strong as each of the network operators actually cooperate with each other. So having your ISP as a part of the train and having your private sector, your public sector parts of the train, and so that when the cert reaches out to them, it's not the cert trying to build the capacity. But everyone is kind of on par with a knowledge that's needed for information sharing. So we even just spoke everyone to know we did something recently with the Pacific Alliance called misc, which is one method of information sharing platforms. And we've been encouraging our member states to think about information sharing among the national certs and other persons within the country to be able to share data, because it's not a matter of getting the data out in the region. If something is happening in Trinidad. More than likely, it's probably happening up the pipeline in Jamaica, it's probably happening in Barbados. But because one, nobody's talking about it, everyone is being knocked off one by one, like a secret assassination happening that nobody's talking about. So if we start to share information and put it in the right protocols, but that's one of the things we actually develop for the Pacific Alliance, information sharing protocol. So among the four countries in their lines, they're able to use that protocol, common terminologies, common taxonomies, for different incidents, everyone says, penetration is penetration, this kind of attack is an attack. So everyone is speaking the same language. If five pins mean that it's a serious incident, everyone tears it the same way and can share data. So it's something that we're thinking about the Caribbean, and we're going to see how we can figure out to rule out that kind of training to make sure that Caribbean countries start to think about it the same way as well. That's fine to throw that out. Excellent point,

George Gobin

01:28:11

Gary. Folks, we have we were pretty much near to what our end of time was there. I'm not going to if you have any further questions, can we encourage our participants to probably send them or we can follow up separately and leave in specific things, but a lot of this comment and a lot of the presentations will be at the igf.edu website. And if you have any further questions arising when you leave, and you said, Hey, I should have asked this question of this panel. Please feel free to contact us at info at Magna TT. And I do encourage you to join the mag soon. And you can be part of these discussions as we go forward. In the remaining time that we have left. I would like to have each panelist give a one minute overview on where you would really like to see this go next based on this discussion and all points that have arisen in one minute or less. So I'll throw something at you if you take more than a minute. So Carrie, why don't we start with you?

Kerry-Ann Barrett

01:29:15

I think I just want to encourage everyone on the call to think about cybersecurity not as an intimidating undertaking. Cyber hygiene is what we promote and thinking about how you brush your teeth comb your hair. Internet is now our new life. It's not something that is a distant future where we think it's something out of our reach on our kids are online. We are online every day some of us are stuck at home online. So that's the only interaction so I think I just wanted to leave with everyone to think of cybersecurity as a hygiene motto. do your due diligence of the ATM machines, do your password changes all the tips we've tried to given you here. Just tried to employed I shared in the link stop think Connect website. Because it's a very neutral platform that gives tips for every business citizen, everyday person, so just wanted to leave with that.

George Gobin

01:30:10

Great finish.

Speaker 1

01:30:13

Right? So what I want to leave you guys with is, you know to change how you think about cybersecurity a little bit. It's not, it's not an ID is not just an ID responsibility, it's everyone in the organization has a part to play. And all you need to do, there are simple steps, you know, to get yourself to improve your cybersecurity posture, right, as Carrie mentioned, keep your stuff up to date. Know your assets, know what you're protected and know the information you need to be protected. You know, because not every not everything on the network needs to be protected a fort knox level, you know. So, identify where you need to protect and prioritize. You know, that's the best way you could use your resources and conduct disease. If you need advice, you need guidance. Reach out to us we are here you can reach out to us through our website, or our primary email address is contacts at tt csirt.gov.gg.

George Gobin

01:31:14

Great, thank you so much. Hamish. Nicholas.

Speaker 2

01:31:19

Thanks, George. I think Kevin and Aneesh did a great summary of of what what what are the future and recommendations will look like. But what I may add to what they've said is that it's more or less the summary of of what they say is that cybersecurity is part of our life now, more than in the past, because we great part of our social interactions and our life, turn it turn it to almost fully online for a year now. And broadly, it's going to take another year or so to go back to some degree of what we had before in terms of personnel, you know, face to face interaction. So this is part of our lives now. And we must act in consequences. for that. And to to add more, I want to tell you that we in ICANN, we have a we have a one of our goals is to provide you know capacity building on or all I can relate to topics and we have our curricula, we have a lot of capacity building proposals to provide we can also coordinate with Korean, we are coordinating actually with with Korean with an issue with Iraq. So we can all provide set up a capacity building scale for for for any organization or group of users or, or anyone that wanting to know to go deeper into this to this pattern. So I'm open to just drop me an email or contact George, and he will contact us and we can coordinate and start right. Right with that. So and thanks very much for your time and for the invitation to to this panel. Sure. Sure.

George Gobin

01:33:08

Thank you, Nicholas Raj.

Speaker 3

01:33:11

I think my colleagues said almost everything. I just posted a link on the chat. The close things off, if you take a look at that particular document from Gartner, it will actually guide you in setting up a roadmap for the short term, long term, medium term. And it's basically along the lines of what the entire discussion was about and I'll carry on and an Asian Nicholas just summarize, but it'll actually give you a printed roadmap. You could sit down read digest, and and of course expect that to change as situation changes, but just keep up to date with it. And follow roadmap, and I saw someone also posted once on the UK Government.

Unknown Speaker

01:33:59

Speaker 3

01:34:00

look out for those types of well informed documents.

George Gobin

01:34:05

Great. Okay, great. Thank you, Raj. This brings us to the end of our panel discussion this morning, right on time at 1245, which was advertised time, it's impossible to cover a topic like this within, you know, 90 minutes this, this could be a day or two or three days kind of discussion just to get everybody's input. So I do appreciate very much. First of all, our panelists who gave their time freely give their time this morning to we had a couple of pre meeting discussion. So thank you all for pre discussions, and this actually spending your time with us today. I'm sure the audience enjoyed what was presented to your valued audience members. Thank you so much for joining our conference today. And again, all the partners submission on the questions that you have given us, you certainly have given us food for thought. And we will probably need to have a follow up session or sessions on particular areas of what you guys have brought up. So thank you very much so much for your time. The members of the IGF team Ltd man, thanks a lot for putting this together. And if you have any comments, anything that you'd want to give us advice on or need answers on info@mag.tt, where you need to go and I ask you to join the mag, it's free membership and you already kept abreast of the things activities that are happening and how you can bounce up. With that without much further ado, thank you very much. Enjoy the rest of the day. Be safe out there, be healthy and thank you

00:0000:00