The importance of Information Security in our lives – Part 2

 

2. In our shopping

According to an ECommerceNews study, there was an increase of 53% in Electronic Commerce [1].  This percentage not only is the reflect of the E-Commerce impulse had during the Covid-19 Pandemic, but it reflect Peruvians’ comfortable feelings towards making their shopping through the internet. 

Now, in that context, Information Security is represented by different factors, such:

    2.1. From the end user point of view

           a. Having their PC’s Operative System updated

           b. Having updated all software packages installed in the PC

           c. Have an updated anti-virus software package installed

    2.2. From the point of view of the E-Commerce Company service provider

           a. Have updated SSL Certificates

           b. Have a Vulnerability Management Program

           c. Have security controls to be able to protect the internet facing web site from external attacks (e.g. WAF, etc.)

           d. Have an information Security Team (internal or external) that could take control of the situation in the case of a cybersecurity attack

           e. Have secured backups of the Web application and critical data bases

           f. Have an industry standard certified network environment with PCI-DSS Specifications in case user credit cards are being used in the electronic transactions

           g. Being compliant with all local Information Security regulatory requirements 

References

[1] https://www.ecommercenews.pe/ecosistema-ecommerce/2022/al-cierre-del-2022-el-ecommerce-en-el-peru-movera-us-20-millones-y-crecera-53.html

La importancia de la seguridad de la información en nuestras vidas – Parte 2

 

2. En nuestras compras

De acuerdo con el estudio de ECommerceNews,  el 2022 tuvo un aumento del 53% en el Comercio Electrónico [1]. Este porcentaje no solo es reflejo del impulso que tuvo el Comercio Electrónico durante la pandemia del Covid-19, pero refleja que los peruanos se sienten cada vez más cómodos en realizar sus compras por internet. 

Ahora bien, en este contexto, la Seguridad de la Información se ve representada por muchos factores, como:

    2.1. Desde el punto de vista del usuario

           a. Tener el Sistema Operativo actualizado
           b. Tener todos los paquetes de software que se usan frecuentemente actualizados
           c. Tener un antivirus actualizado

    2.2. Desde el punto de vista de la empresa proveedora del servicio de Comercio Electrónico

a. Contar con Certificados SSL

b. Tener un programa de Gestión de Vulnerabilidades

c. Tener controles de Seguridad para poder proteger la página web de ataques externos (por ejemplo: WAFs, etc.)

d. Tener un equipo de Seguridad de la Información (interno o externo) que pueda tomar el control en caso de un ataque cibernético

e. Tener sistemas de respaldo de datos de la aplicación Web y de Bases de datos críticas

f. Tener un entorno de red homologado con especificaciones PCI-DSS en caso se usen tarjetas de crédito de los usuarios para las transacciones electrónicas

g. Tener implementados los requerimientos relacionados con Seguridad de la Información provenientes del Regulador Gubernamental 

Referencias

[1] https://www.ecommercenews.pe/ecosistema-ecommerce/2022/al-cierre-del-2022-el-ecommerce-en-el-peru-movera-us-20-millones-y-crecera-53.html

The importance of Information Security in our lives – Part 1

Societies, including the Peruvian one, are adopting digital solutions not only at an enterprise level, but also in the personal. From the enterprise point of view, there are different digital solutions that when adopted not only become part of the available technology in the enterprise, but also they could be part of the specific niche’s regulatory requirement. This will require the enterprise to send periodic specific KPI (Key Performance Indicators) reports, which should be aligned with specific incident report times, especially when these are associated with service availability and information security.

In the personal case, there are a plethora of available of digital solutions, from food deliver, e-commerce, online banking, and a long etcetera. Due to the nature of the diverse application, it is necessary to register personal information (e.g.: names, last names, birth date, ID documents, etc.), payment methods (credit cards, debit cards, etc.), and other in our accounts. This fact of the account creations and personal data registration creates a trust relationship with the service provider, for which our data will reside in their data bases. These companies, as mentioned before, could be under regulatory requirements in their respective business niches, but this doesn’t mean they are 100% secure.

To better understand the different threats our data could suffer, I prepared a series of entries to share and hopefully, will create a Little of awareness about how to protect our date through simple processes. These are divided in seven parts y an additional one for conclusions.

1. In our home

We all Heard of information viruses and how they can damage our computers, and/or how these could infect our computers, keep silent for a long period of time and extract specific information from our bank accounts, social media, email, etc. In this case information security, represented by an antivirus and updated Operative System (OS), could serve as a preventive measure against these types of attacks. 

In addition to the above, we should keep in mind that our digital identity has to be secured, in that sense; we should learn how to identify potentially malicious or illegal websites that are used to steal our identity and payment methods. 

See you in the second part.

La importancia de la seguridad de la información en nuestras vidas - Parte 1

Las sociedades, incluida la peruana, están adoptando soluciones digitales no solo a nivel empresarial, pero también en el personal. Desde el punto de vista empresarial, existen diferentes soluciones digitales que al ser adoptadas pasan a ser no solo parte del abanico tecnológico de la empresa, sino que puede entrar dentro del ámbito normativo del regulador del nicho específico de negocio. Esto último requerirá que la empresa además de reportar periódicamente Indicadores clave de rendimiento (KPI por sus siglas en inglés) específicos, esté alineado con tiempos específicos de reporte de incidentes, especialmente cuando estos se tratan de disponibilidad de servicios y de seguridad de la información.

En el caso de uso personal, las soluciones digitales son mucho más variadas, desde entrega a domicilio de comida, comercio electrónico, banca en línea, y un largo etcétera. Debido a la naturaleza de las diversas aplicaciones, es necesario el registro de datos personales (como: nombres, apellidos, fecha y lugar de nacimiento, documentos de identificación, etc.), métodos de pago (tarjetas de crédito, tarjetas de débito, etc.), y demás en nuestras cuentas. Este hecho de la creación de la cuenta y el registro de datos, crea una relación de confianza con el proveedor del servicio, por el cual nuestros datos radican en sus bases de datos. Estas empresas, como se indicó anteriormente, pueden estar bajo la observación de los reguladores locales de sus respectivos nichos de negocio, pero esto no significa que estén 100% seguros.

Para poder entender un poco mejor los diferentes peligros que nuestros datos pueden sufrir, he preparado esta serie de entradas para poder compartir, y, ojalá, crear un poco de conciencia de cómo proteger nuestros datos mediante simples procesos. Estas estarán separadas en siete partes y una de conclusiones.

1. En nuestro hogar

Todos hemos escuchado de los virus informáticos y de cómo estos pueden dañar nuestras computadoras, y/o como estos pueden infectar nuestras computadoras, permanecer silenciosos por un buen tiempo y después extraer información específica de nuestras cuentas bancarias, social media, correos electrónicos, etc. En este caso la seguridad de la información, representada por un antivirus y Sistema Operativo actualizado, puede servir como una medida preventiva ante este tipo de ataques.

Además de esto tenemos que tener en cuenta que nuestra identidad digital tiene que ser bien resguardada, en este sentido, debemos de aprender a identificar sitios web de dudosa procedencia o sitios web ilegales que son usados para robar nuestra identidad y métodos de pago.

Nos vemos en la segunda parte.

The lack of direction when it comes to Cybersecurity in Peru

 Peru is a country with a great diversity of natural resources, and strategically located, which makes a variety of professional paths available that graduates from the different secondary schools can choose to follow. Obviously, the decision to study a specific career depends not only on the applicant's skills, but also on the economic benefit that the career in question can provide in the future, the country's industry requirement for these professionals, etc.

In addition to the careers already established in the country, for example: medicine, law, various engineering, economics, etc., there are many careers that are destined for the future due to the greater use of technology in this era of the world, especially Information Technologies (IT). But IT, in its vast variety, has a discipline that is very important at the moment, but apparently in Peru only two higher education institutions in the leading sector are making efforts to create Peruvian professionals in this discipline, it is the Information Security, these are ESAN University (Master's level) and the National Engineering University (UNI for its acronym in Spanish) (Undergraduate level) [1, 2].

It is important to mention that Cybersecurity is a discipline in high demand around the world, due to many reasons, but basically due to the fact that a good part of the banking and commercial transactions that we do every day use electronic systems, either from the web or mobile phone [3]. This high demand discipline which is based on the constant use of the acquired knowledge, frequent updating, and an environment full of challenges, means that these professionals can work from Peru in other countries as well.Despite the fact that our country has been the victim of different computer attacks (including attacks against armed forces) in which personal data was illegally extracted, there is little or no interest from other educational institutions in properly creating this professional career, in addition It is more than disappointing that the Peruvian government, through its regulators of the different business areas, do not have clear and mandatory Cybersecurity regulations [4]. An additional factor is the little or no interest that private companies have in protecting consumer data, which significantly increases the risk of identity theft that consumers can suffer since there is no communication when companies suffer computer attacks with illegal data extraction.

It is this lack of awareness about the importance of Cybersecurity that not only makes educational institutions have no interest in creating these faculties, which will have negative consequences in the near future. Now, it is not only the fact of creating awareness in the governmental and private sphere, but also educating ordinary citizens that our digital identity is more than important in a world in which data will soon completely replace an identity in a printed card.

References:

1. https://www.esan.edu.pe/conexion-esan/esan-graduate-school-of-business-presenta-la-maestria-en-gestion-de-la-ciberseguridad-y-privacidad
2. https://rpp.pe/tecnologia/mas-tecnologia/uni-inaugura-carrera-de-ingenieria-de-ciberseguridad-noticia-1428538
3. https://www.isc2.org/News-and-Events/Press-Room/Posts/2022/10/20/ISC2-Research-Reveals-the-Cybersecurity-Profession-Must-Grow-by-3-4-Mil-to-Close-Workforce-Gap#:~:text=Despite%20adding%20464%2C000%20more%20cybersecurity,not%20have%20enough%20cybersecurity%20employees.
4. https://larepublica.pe/politica/gobierno/2022/10/08/hackers-en-la-dini-roban-secretos-militares-peruanos-de-ultimos-cinco-anos-guacamaya-leaks-ejercito-fuerzas-armadas
5. https://rpp.pe/tecnologia/mas-tecnologia/peru-tercer-pais-mas-ciberatacado-en-america-latina-noticia-1359003

La falta de Norte cuando a Ciberseguridad se trata en Perú

Perú es un país de gran diversidad de recursos naturales, y ubicado estratégicamente, lo cual hace que se tenga disponible una variedad de caminos profesionales que los egresados de las diferentes organizaciones educativas de educación secundaria pueden optar por seguir. Obviamente, la decisión de estudiar una carrera específica no solo depende de las habilidades del postulante, sino también del beneficio económico que la carrera en mención pueda brindar en el futuro, el requerimiento de la industria del país de estos profesionales, etc. 

Además de las carreras ya establecidas en el país, por ejemplo: medicina, derecho, varias ingenierías, economía, etc., existen muchas carreras que son destinadas para el futuro debido al mayor uso de la tecnología en esta época del mundo, en especial Tecnologías de la Información (TI). Pero TI, en su vasta variedad, tiene una disciplina que es muy importante en este momento, pero al parecer en Perú solo dos instituciones educativas de nivel superior del sector líder están poniendo esfuerzos para poder crear profesionales peruanos en esta disciplina, se trata de la Seguridad de la Información, estas son la Universidad ESAN (Maestría) y la Universidad Nacional de Ingeniería (UNI) (Pre-grado) [1, 2]. 

Es importante indicar que la Ciberseguridad es una disciplina de alta demanda alrededor del mundo, esto por muchos motivos, pero básicamente por el hecho de que una buena parte de las transacciones bancarias y comerciales que hacemos día a día usan sistemas electrónicos, ya sea desde la web o en el teléfono móvil [3]. Esta alta demanda, basada en el uso constante del conocimiento adquirido, actualización frecuente, y ambiente llenos de retos, hace que estos profesionales puedan trabajar desde el Perú en otros países también.

A pesar de que nuestro país ha sido víctima de diferentes ataques informáticos (inclusive las fuerzas armadas fueron objetivos de estos) en los cuales datos personales fueron extraídos ilegalmente, existe un poco o nulo interés de otras instituciones educativas en crear debidamente esta carrera profesional, además es más que decepcionante que el gobierno peruano a través de sus reguladores de las diferentes áreas de negocios no tengan regulaciones de Ciberseguridad claras y de cumplimiento obligatorio [4]. Un factor adicional es el poco o nulo interés que las empresas privadas en proteger los datos del consumidor, lo que incrementa de manera significativa el riesgo de robo de identidad que los consumidores pueden sufrir ya que no hay ninguna comunicación cuando las empresas sufren ataques informáticos con extracción ilegal de datos. 

Es esta falta de conciencia acerca de la importancia de la Ciberseguridad que no solo hace que las instituciones educativas no tengan interés en crear estas facultades, lo cual tendrá negativas consecuencias en un futuro cercano. Ahora bien no solo es el hecho de crear conciencia en el ámbito gubernamental y privado, pero también educar al ciudadano de a pie que nuestra identidad digital es más que importante en un mundo en el que los datos pronto reemplazarán de manera completa a una identidad en una tarjeta impresa.

Referencias:

1. https://www.esan.edu.pe/conexion-esan/esan-graduate-school-of-business-presenta-la-maestria-en-gestion-de-la-ciberseguridad-y-privacidad
2. https://rpp.pe/tecnologia/mas-tecnologia/uni-inaugura-carrera-de-ingenieria-de-ciberseguridad-noticia-1428538
3. https://www.isc2.org/News-and-Events/Press-Room/Posts/2022/10/20/ISC2-Research-Reveals-the-Cybersecurity-Profession-Must-Grow-by-3-4-Mil-to-Close-Workforce-Gap#:~:text=Despite%20adding%20464%2C000%20more%20cybersecurity,not%20have%20enough%20cybersecurity%20employees.
4. https://larepublica.pe/politica/gobierno/2022/10/08/hackers-en-la-dini-roban-secretos-militares-peruanos-de-ultimos-cinco-anos-guacamaya-leaks-ejercito-fuerzas-armadas
5. https://rpp.pe/tecnologia/mas-tecnologia/peru-tercer-pais-mas-ciberatacado-en-america-latina-noticia-1359003

Addressing the Cyber Security Insurance dilemma

Addressing the Cyber Security Insurance dilemma

Mainly due to the increase of ransomware attacks around the world during the last years, companies providing Cybersecurity Insurance or Cyber Risk Insurances are witnessing an increase in their products demand. 

Cisco defines Cybersecurity Insurance as: “Cyber insurance is an insurance product designed to help businesses hedge against the potentially devastating effects of cybercrimes such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other method used to compromise a network and sensitive data. Also referred to as cyber risk insurance or cybersecurity insurance, these products are personalized to help a company mitigate specific risks.” [1]

Those organizations that are able to afford the cost of a specific Cybersecurity Insurance Policy need to understand that the Cybersecurity Insurance does not represent a holistic solution for any Cybersecurity attack they could be become victims of. 

In general terms, Cybersecurity Insurances should be a part of a well-structured Incident Response plan that organizes IT and non-IT departments across an organization including their respective senior or C-level management and aligned with a wider Business Continuity Program (BCP). While the complexity of the Incident Response Process is undeniably high, independently of the organization size, efforts should be made to have them in place and ready to go in the case of a severe attack against the organization’s IT infrastructure. Cybersecurity Insurances are the last resource in the established and practiced Incident Response Plan since it is designed to alleviate the cost of a successful attack and prevent the impacted organization to bankrupt [2]. In this regards, usual costs covered by the Cybersecurity Insurance are: investigation, crisis communication, legal services, and refund to customers [2].

Growing demand on Cybersecurity Insurances

Reportedly, ransomware attacks increased dramatically during 2021 and are still in the raise during 2022. Organizations impacted due to this type of attack are paying the ransom in order to reduce the time to obtain back their business related information, which triggers a different problem where organizations that decided to pay the ransom become again targets of a ransomware attack [3].

Moreover, the only problem is not only ransomware but the increased threat landscape due to the adoption of remote work due to the Covid 19 pandemic. Therefore, Security organizations around the world have witnessed an increase of complexity when it comes to their security strategies and the cost associated to those. 

Main function of the Cybersecurity Insurance

The main function of the Cybersecurity Insurance is to protect the organization of the cost associated with an attack that could have a considerable impact in the organizations operations. CSO indicates that “A Cyber insurance policy coverage usually includes costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and refunds to customers.” [2].

Having a Cyber Security Insurance could make me a target?

While there is no evidence that proves that malicious actors are able to obtain firsthand information of which organizations have acquired Cyber Security Insurances, there are some unscientific evidence that shows that malicious actors are more than ager to find ways to know which organizations have hired a Cyber Security Insurances and the Premium amounts of those.

Therefore, while hiring a Cyber Security Insurance could give C level executives some peace of mind, it should be accompanied by a solid security strategy and awareness.

Since Cyber Security Insurances could bring some level of last resources of protection to all size companies, it should not be understood as to have that in your Security Strategy as the only measure available against a Cyber Security attack.

Before even considering hiring Cyber Security insurance, organizations must create/review/improve their Incident Response Plans as mentioned in the beginning. Practicing that process in yearly internal drills is a good strategy to create muscle memory and be prepared when a real Security incident occurs. In addition of that, increases awareness and allow organizations to have their contact list updated. We will have more entries about Incident Response in the near future [8].

Conclusion

Cyber Security Insurances represent, if your organization is able to afford them, an additional layer where the organization could prevent bankruptcy as a consequence of a Cyber Security attack, but it should not be considered as the only available resource to handle a Cyber Security Incident.

Careful assessment is required in order to hire a Cyber Security Insurance, which might have some requirements in terms of Vulnerability Management, Security Controls, Security Operations, etc., in order to calculate the Premium.

References

[1] https://www.cisco.com/c/en/us/solutions/security/cyber-insurance/what-is-cyber-insurance.html 

[2] https://www.csoonline.com/article/3654216/is-cyber-insurance-an-invitation-to-cybercriminals.html#tk.rss_all

[3] https://www.techtarget.com/searchsecurity/news/252502519/Repeat-ransomware-attacks-hit-80-of-victims-who-paid-ransoms

[4] https://redcanary.com/blog/cyber-insurance/

[5] https://hbr.org/2021/01/cybersecurity-insurance-has-a-big-problem

[6] https://www.csoonline.com/article/3643054/cyber-insurance-explained.html#tk.rss_all

[7] https://www.darkreading.com/attacks-breaches/cyber-insurance-and-war-exclusions

[8] https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf