COP needed to fight cybercrime


23 November 2016
Building community and capability

First, the good news: 75 per cent of cybersecurity professionals are confident in their ability to respond to simple security incidents.

The bad news: Last year, it was 87 per cent.

Sharing some findings from an ISACA (Information Systems Audit and Control Association) survey conducted this year, the organisation’s international president Christos Dimitriadis added another disturbing fact – that six out of 10 respondents do not believe that their staff are able to address anything more than simple cybersecurity incidents.

The problem starts with the hiring process, said Dimitriadis, who was speaking at the inaugural CSX Asia Pacific 2016 conference in Singapore in November. He noted that one in four employers spent more than half a year searching for the right candidate and when they eventually do manage to fill the vacancy, the candidate is often not able to hit the road running.

This lack of in-house expertise keeps organisations from being innovative and stymies the deployment of new security technologies. 

Adversaries, on the other hand, are “smart, single-minded and creative”. “Cyberthreats don’t take a day off… and they only have to be right one time to out-manoeuvre an organisation.”

Organisations in every sector face cybersecurity incidents on a regular basis, and that is why the community is important – the cooperation between cybersecurity professionals, industries, academia and internationally between governments, said Dimitriadis.

This view was shared by Teo Chin Hock, deputy chief executive of the Cybersecurity Agency of Singapore. “Beyond deep competency, we also need the professional workforce to be more cohesive.”

The cybersecurity community needs to come together to forge a common identity and foster trust, he said, outlining plans by the government to work with organisations such as the Association of Infocomm Security Professionals, Singapore Computer Society and ISC2 to build up a Community of Practice where cybersecurity professionals can exchange insights and ideas and rally together to overcome threats.

A strong COP will help lay the groundwork for a sustainable source of expertise and solutions to support a resilient and trusted cyber environment, he added.

Teo also highlighted some of the programmes that are being developed to grow the pipeline of cybersecurity professionals in Singapore. For example, the s a Cyber Security Associates and Technologists (CSAT) Programme, a joint initiative by CSA and IMDA, is aimed at upskilling ICT professionals for cybersecurity jobs.

The programme will help to bridge the employment gap for new ICT professionals to take on cybersecurity roles and for mid-career professionals to convert to cybersecurity. There are currently four CSAT training partners - Accel Systems & Technologies, Quann, Singtel and ST Electronics (Info-Security).

It is also important to raise the competency level of the cybersecurity workforce with professional certifications in areas such as governance, risk and compliance; security testing; threat intelligence; incident response; digital forensics and malware analysis, said Teo.

For this, the government will be adopting internationally-recognised certifications. “The cybersecurity domain is moving at a very fast pace. We need best-in-class programmes based on international competency standards,“ said Teo,.

For example in July, CSA and AISP partnered CREST, a not-for-profit accreditation body representing the technical information security industry, to established a Singapore Chapter to introduce its penetration testing certifications and accreditations here. CSA will be driving the adoption of CREST or equivalent certification for penetration testing on critical information infrastructure, said Teo.

ISACA CSX also provides a suite of training programmes and certifications such as the CSX Fundamentals which caters to people without any prior knowledge of cybersecurity, and the CSX Practitioner which is a vendor-neutral, performance-based certification. It is also looking to introduce the CSX Specialist, which will involve a technical deep dive into different areas of specialisation.

Singapore’s desire to be a Smart Nation ups the ante in the cybersecurity stakes, said Teo. Today, there are smart refrigerators that manage groceries, allow users to connect with friends and consume entertainment in the kitchen. Pervasively-connected smart phones help monitor fitness and there are smart meters that analyse behaviours. “While these smart devices and gadgets bring insights and convenience, they provide additional vectors for attacks to disrupt essential services.”

He cited the example of the distributed denial of service (DDOS) attack on domain name system provider DYN in the United States in October, where web cam routers and smart refrigerators infected by the Mirai software were used to launch attacks. As a result, Internet access to major web sites in US was disrupted. Closer to home, Starhub’s broadband services were disrupted by attacks launched from infected Internet-connected web cams and routers.

Teo noted that the global cost of cybersecurity attacks has multiplied six-fold from from US$500 billion in 2015 to US$3 trillion in 2016, and that the cybersecurity landscape could change significantly with the massive scale of IoT to come.

“Cybersecurity needs to be an important consideration in the design of connected devices in IoT. We need cybersecurity professionals to assess the security levels of such devices, know how to protect them and disrupt the attackers’ kill chain,” he said. “Singapore cannot become a Smart Nation without becoming a safe nation first.”