2018 Cyber Security Baseline Report on Jamaica (gCBRJ)
Summary: An educational security analysis of Jamaica's TOP 285 main corporate websites.
Titled: OBEDIENT TARGETS - Technology | Education | Opportunities
Research Period: July 1-15, 2018. | Published: July 27, 2018. | Security Researcher: Gavin Dennis CISSP, CISM, CASP, eWPT, CySA+, CEH
SSL Usage
Statistics on how many of the 285 websites used HTTPS
- *226 is the total number of top websites that supported HTTPS connections, including invalid SSL certificates.
- 65% (186 of 285) do NOT load in HTTPS when visited. Of those 186, 57% allowed users or administrators to submit login details, which places those login details at risk to capture.
SSL Grades
Grading from A (best) - F (poorest) on how well HTTPS connections were configured
SSL Configuration
Below are the SSL versions used on websites with a valid certificate. Only 62% (141 of 226 websites supporting HTTPS) used a valid SSL certificate.
Security Headers Usage
Statistics on how many of the 285 websites set Security Headers in their responses.
Security Headers Grades
Grading from A (best) - F (poorest) on how well Security Headers were set and configured
Summary of Main Issues
Most websites (65%) did not use HTTPS to secure communications between themselves and users. Most websites(57%) that only used HTTP, left users' credentials vulnerable to being captured because they allowed login for users or required login for administrators.
Most websites (73%) analysed did not set expected security headers in their responses. Missing security headers means a lower level of security between users browsers and affected websites.
Most websites analysed (84%) were not detected to be using a web firewall to protect themselves from attackers. No web firewall leaves any website at greater risk of being compromised.
A small but concerning amount of websites (15%) disclose an administrator's likely username.
Web Firewall Use
Websites using a publicly detectable web firewall
Disclosed Admin Usernames
Statistics on how many top websites disclosed usernames of their administrators.
Suspicious or Malicious Files Detected
Websites hosting a file or link flagged by an anti-malware scanner as suspicious or malicious
IT Security Education
Statistics on how many publicly advertised post-secondary educational institutions offer an IT Security focused course/qualification.
Government Support
Formal government support for Cyber Security
National Cyber Security Plan
National Incident Response Team
Cybercrime Law
Data Protection Law (Draft)
Web Server Operating System Use
CMS Use
WordPress
93
33%
Joomla
24
8%
Drupal
30
11%
Kentico
3
1%
Other
8
3%
*No CMS Detected
127
44%
Read the Researcher's Analysis
Get the deeper story and what you should be concerned about as a Jamaican person or business.
READ MORE
Download PDF (extract from .zip file)
Learn more about the Researcher
This report was independently done by Gavin Dennis, a Cyber Security Consultant from Jamaica.
VISIT WEBSITE
Professional Summary
Cyber Security Consultant
Penetration Tester
CompTIA SME
Researcher
Speaker
Author
Mentor
# of top websites analysed - 1/3
10 - Agriculture, Fishing and Forestry
15 - Education
15 - Government Ministries and agencies
15 - Health and Medicine
15 - Mail, Shipping And Logistics
15 - Manufacturing and Industrial
10 - Public Utilities, Environment and Sanitisation
15 - Travel (Local and Int'l) and Accommodation (Local)
# of top websites analysed - 2/3
10 - Audit and Accounting Services
15 - Banking, and Investments
15 - Computers and Technology
10 - Legal
15 - Media, Marketing and Communications
15 - Other Business Services
15 - Real Estate and Insurance
15 - Retail, eCommerce and Remittance
# of top websites analysed - 3/3
10 - Automotive
10 - Clothing and Fashion
10 - Construction, Renovation and Home Improvement
10 - Entertainment and Events
10 - Food and Beverage
15 - Gambling, Sport, and Recreation
Why HTTPS is important
Kayce Basques - "You should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users' personal information, HTTPS is a requirement for many new browser features, particularly those required for progressive web apps."
3 core reasons:
Quoted from an article on Google's Developer blog titled Why HTTPS Matters by Kayce Basques, Technical Writer for Chrome DevTools
Why Security Headers are Important
Caleb Fenton (Veracode) - "Whenever a browser requests a page from a web server, the server responds with the content along with "headers". HTTP security headers are headers that let you tell your customer's browser how to behave when handling your site's content."
3 core reasons:
The opening quote from an article on Veracode's blog titled HTTP Security Headers in Plain English by Caleb Fenton
Why web firewalls are Important
Idean Vasef - "Firewalls protect you from the bad guys by using customised filters. These filters are a basic set of rules that are defined in order of prioritisation. This is important because as a company, you only want authorised and safe traffic accessing your website."
3 core reasons:
The opening quote is from an article on hostduplex.com's blog titled The importance of a Web Application Firewall for WordPress Sites by Idean Vasef
Why IT Security Education is important
The world is moving to a technology-focused style of operating, and that brings many security risks. If we don't have Jamaican citizens trained in IT security, we will have to pay for other countries to support us, which is not economical. - Gavin Dennis
More reasons why:
In an article by the JIS, Senior Advisor in the Ministry of Science, Energy and Technology, Trevor Forrest, stated that Jamaica lost US$100 million due to cybercrime, and a report for 2017 showed more than 230,000 threats detected in a month.
Extract from Verizon's 2018 DBIR: "At first glance, identifying 53K+ incidents in only 12 months suggests an information security dystopia, an uneven playing field where the bad guys consistently win out."
JIS source: "Everyone at Risk for Cybercrime" Tomeica Gunn
Verizon Source Verizon 2018 Data Breach Investigations Report by Verizon
Why a clean website is important
Websites hosting malware may attempt to infect someone's computer through different methods or trick them into revealing personal data and then using that data to attack them digitally. These infections can be either intentional or intentional. In some cases, a user can be infected by simply opening an infected web page or downloading an infected file from an infected website.
More reasons why:
Ref: Section 14 - "Offences by Bodies Corporate" of Cybercrimes Act of 2015
Why government support is important
Cyber Security is merely another branch of a national security effort. Why? Because now with the advances of technology someone can attack you digitally in ways just as bad as if it were physical, and that is a security risk that should be a government concern.