The summary of my media kickstart on Cyber Security

On November 28th, I was invited as a guest on Smile Jamaica, a vibrant and top-rated morning TV program in Jamaica. The discussion was centred around a new ID system the government of Jamaica intends to implement, called NIDS – National Identification System. There has been much public discussion and criticism about how well the government will protect the data they would collect to help identify people. My purpose, as an Information Security (and Cyber Security) professional, who is independent of the NIDS system, was to further the discussion on security and the public’s concerns.

From a general perspective, the highest likely risk to digital Identification Systems from my perspective is Unauthorised Disclosure resulting in Identify Theft.

Extract of some feedback I gave in the interview

“There is much room for growth and for us to all contribute, whether we’re going to start pursuing courses in cyber security, whether the government is going to start sending persons on training; but there is much room for (us), the same people who may have or may not have an issue, to also contribute to making the (country) more cyber aware and more resilient and better protected”

Other Core points I expressed in the discussion

  • Risks must be managed where it’s not feasible to avoid them.
  • No active computer system is hack-proof.
  • Public care about the protection of their data is healthy for cyber security in Jamaica.
  • It’s difficult to trace the human identity of an attacker without getting other entities involved (such as law enforcement and internet service providers).
  • A CIRT team exists in Jamaica which supports the protection of data processing systems against cyber threats.

You can do something to improve cyber security in your country

  • Get trained and practice good cyber security habits.
  • If you’re interested in a cyber security career then pursue appropriate qualifications, and they get relevant experience
  • Find someone sensible to Mentor your journey. Preferably one person internal and another external to the Cyber Security industry.

Assuring Security of the NIDS Infrastructure

Although NIDS is said to be a database of data identifying citizens of Jamaica. It will rely on a network of systems to carry out its functions. Here is a list of 20 Cyber Security control areas both you and the government should be considering for securing NIDS and other corporate IT environments, based on CIS Top Critical Controls.

  • Control 1: Inventory of Authorized and Unauthorized Devices
  • Control 2: Inventory of Authorized and Unauthorized Software
  • Control 3: Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Control 4: Continous Vulnerability Assessment and Remediation
  • Control 5: Controlled Use of Administrative Privileges
  • Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • Control 7: Email and Web Browser Protections
  • Control 8: Malware Defense
  • Control 9: Limitation and Control of Network Ports, Protocols, and Services
  • Control 10: Data Recovery Capability
  • Control 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Control 12: Boundary Defense
  • Control 13: Data Protection
  • Control 14: Controlled Access Based on the Need to Know
  • Control 15: Wireless Access Control
  • Control 16: Account Monitoring and Control
  • Control 17: Security Skills Assessment and Appropriate Training to Fill Gaps
  • Control 18: Application Software Security
  • Control 19: Incident Response and Management
  • Control 20: Penetration Tests and Red Team Exercises

You can learn more specifics about these controls by downloading the CIS controls document from their website. I’ve added a link at the bottom of this article in the References section.

List of personal data elements

For those who are unaware, below is a list of identifying data the government has outlined it is authorised to collect for the new ID system. This list is from Section 15, Page 54-56 of The National Identification and Registration Act 2017.

Biographic Information

  • Full name
  • Date, time, and place of birth
  • Gender Height
  • Place of residence and mailing address
  • Nationality and Marital status
  • Place, date and age at death
  • Email address

Biometric Information

  • Photograph
  • Fingerprint
  • Eye colour
  • Manual signature
  • Retina or iris scan
  • Vein pattern
  • Footprint
  • Toeprint
  • Palm print
  • Distinguishing features

Reference numbers

  • Taxpayer Registration Number
  • Driver’s license number
  • password number
  • National Insurance number
  • Birth Entry number
  • PATH registration number
  • National Identification number
  • Elector Identification number
  • National Health Fund number

Registral History

  • Detailed history of each National Identification Card

Note: There are some items that are dependent on others but the fact remains the government is authorised to request the items above.

References

Photo of the Interview taken by Smile Jamaica team:

  • https://www.facebook.com/tvjsmilejamaica/photos/a.592204824156895.1073741826.115826968461352/1689970244380342/?type=3

Article written by RJR News about the interview:

Official link to Jamaica’s National Identification and Registration Act, and other Acts.

Direct link to the final version as at Dec 8, 2017

CIS Critical Controls