2018 Cyber Security Baseline Report on Jamaica (gCBRJ)

Summary: An educational security analysis of Jamaica's TOP 285 main corporate websites.


Titled: OBEDIENT TARGETS - Technology | Education | Opportunities


Research Period: July 1-15, 2018. | Published: July 27, 2018. | Security Researcher: Gavin Dennis CISSP, CISM, CASP, eWPT, CySA+, CEH

SSL Usage

Statistics on how many of the 285 websites used HTTPS

35% (99 of 285) automatically loads in HTTPS. Goal: 100%
35%

79% (226* of 285) allowed a MANUAL connection over HTTPS (including 85 invalid SSL certificates).
79%

38% (85/226) supporting HTTPS provided an UNTRUSTED (Invalid) SSL certificate. Goal: 0%
38%


  • *226 is the total number of top websites that supported HTTPS connections, including invalid SSL certificates.
  • 65% (186 of 285) do NOT load in HTTPS when visited. Of those 186, 57% allowed users or administrators to submit login details, which places those login details at risk to capture.

SSL Grades

Grading from A (best) - F (poorest) on how well HTTPS connections were configured

Grade F (Poorest): 42% (94 of 226)
42%

Grade E: 0% (0 of 226)
0%

Grade D: 0% (0 of 226)
0%

Grade C: 4% (8 of 226)
4%

Grade B: 19% (42 of 226)
19%

Grade A (Best): 36% (82 of 226)
36%

SSL Configuration

Below are the SSL versions used on websites with a valid certificate. Only 62% (141 of 226 websites supporting HTTPS) used a valid SSL certificate.

Supported SSL v2(very weak): 4% (5 of 141)
5%

Supported SSL v3 (very weak): 9% (12 of 141)
9%

Supported TLS 1.0 (weak): 72% (102 of 141)
72%

Other weak SSL configuration: 40% (56 of 141)
40%

Supported TLS 1.1 and higher (strong): 72% (102 of 141)
72%

Security Headers Usage

Statistics on how many of the 285 websites set Security Headers in their responses.


Content-Security-Policy: 2% (6 of 285)
2%

X-Frame-Options: 20% (58 of 285)
20%

X-XSS-Protection: 8% (22 of 285)
8%

X-Content-Type-Options: 17% (49 285)
17%

Strict-Transport-Security: 5% (13 of 285)
13%

Security Headers Grades

Grading from A (best) - F (poorest) on how well Security Headers were set and configured


Grade F (Poorest): 73% (209 of 285)
73%

Grade E: 5% (14 of 285)
5%

Grade D: 16% % (46 of 285)
16%

Grade C: 3% (8 of 285)
3%

Grade B: 2% (6 of 285)
2%

Grade A (Best): 1% (2 of 285)
1%

Summary of Main Issues

Low use and poor configuration of HTTPS

Most websites (65%) did not use HTTPS to secure communications between themselves and users. Most websites(57%) that only used HTTP, left users' credentials vulnerable to being captured because they allowed login for users or required login for administrators.

Low use of Security Headers

Most websites (73%) analysed did not set expected security headers in their responses. Missing security headers means a lower level of security between users browsers and affected websites.

Low use of Web Firewalls

Most websites analysed (84%) were not detected to be using a web firewall to protect themselves from attackers. No web firewall leaves any websites at greater risk of being compromised.

Exposed Administrative Usernames

A small but concerning amount of websites (15%) disclose an administrator's likely username.

Web Firewall Use

Websites using a publicly detectable web firewall

16% (46/285) were detected using a publicly disclosed web firewall.
16%

Disclosed Admin Usernames

Statistics on how many top websites disclosed usernames of their administrators.

15% (43 of 285) publicly disclose usernames of administrative users. Goal: 0%
15%

Suspicious or Malicious Files Detected

Websites hosting a file or link flagged by an anti-malware scanner as suspicious or malicious

1% (4 of 285) websites hosted a suspicious or malicious file.
1%

IT Security Education

Statistics on how many publicly advertised post-secondary educational institutions offer an IT Security focused course/qualification.

2% (2 of 89) offered ONLY an IT Security degree
2%

1 % (1 of 89) offered a degree and training for an independent certification
1%

8% (7 of 89) offered training to prepare students for an independent certification
8%


Government Support

Formal government support for Cyber Security

National Cyber Security Plan
National Incident Response Team
Cybercrime Law
Data Protection Law (Draft)

Web Server Operating System Use


CMS Use

WordPress

93

33%

Joomla

24

8%

Drupal

30

11%

Kentico

3

1%

Other

8

3%

*No CMS Detected

127

44%

Read the Researcher's Analysis

Get the deeper story and what you should be concerned about as a Jamaican person or business.


READ MORE

Download PDF (extract from .zip file)

Share this report with every Jamaican interested in IT, business and cyber security.


DOWNLOAD

Learn more about the Researcher

This report was independently done by Gavin Dennis, a Cyber Security Consultant from Jamaica.


VISIT WEBSITE
profile image

Gavin Dennis

Cyber Security Consultant

CISSP, CISM, CASP, eWPT, CYSA+, CEH

Helping people and companies around the world to protect their digital assets.

Professional Summary

Cyber Security Consultant
Penetration Tester
CompTIA SME
Researcher
Speaker
Author
Mentor

More useful resources by Gavin

Cybercrimes Act of Jamaica (Simplified)
Cyber Security Blog
Cyber Security Volunteers
Cyber Security Standards
Penetration Testing Guide
Cyber Security Policies
Cyber Security Awareness Tips

# of top websites analysed - 1/3

10 - Agriculture, Fishing and Forestry
15 - Education
15 - Government Ministries and agencies
15 - Health and Medicine
15 - Mail, Shipping And Logistics
15 - Manufacturing and Industrial
10 - Public Utilities, Environment and Sanitisation
15 - Travel (Local and Int'l) and Accommodation (Local)

# of top websites analysed - 2/3

10 - Audit and Accounting Services
15 - Banking, and Investments
15 - Computers and Technology
10 - Legal
15 - Media, Marketing  and Communications
15 - Other Business Services
15 - Real Estate and Insurance
15 - Retail, eCommerce and Remittance

# of top websites analysed - 3/3

10 - Automotive
10 - Clothing and Fashion
10 - Construction, Renovation and Home Improvement
10 - Entertainment and Events
10 - Food and Beverage
15 - Gambling, Sport, and Recreation

Why HTTPS is important

Kayce Basques - "You should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users' personal information, HTTPS is a requirement for many new browser features, particularly those required for progressive web apps."

3 core reasons:

1. HTTPS protects the integrity of websites
2. HTTPS protects the privacy and security of users
3. HTTPS is the future of the web

Quoted from an article on Google's Developer blog titled Why HTTPS Matters by Kayce Basques, Technical Writer for Chrome DevTools

Why Security Headers are Important

Caleb Fenton (Veracode) - "Whenever a browser requests a page from a web server, the server responds with the content along with "headers". HTTP security headers are headers that let you tell your customer's browser how to behave when handling your site's content."

3 core reasons:

1. A security header can restrict unauthorised content from loading.
2. A security header can effectively reinforce connections over HTTPS
3. Some security headers help to block some attacks targeting website users

The opening quote from an article on Veracode's blog titled HTTP Security Headers in Plain English by Caleb Fenton

Why web firewalls are Important

Idean Vasef - "Firewalls protect you from the bad guys by using customised filters. These filters are a basic set of rules that are defined in order of prioritisation. This is important because as a company, you only want authorised and safe traffic accessing your website."

3 core reasons:

1. Web firewalls help to filter known malicious attacks.
2. Web firewalls help to filter unknown but suspicious requests.
3. Web firewalls make it far less likely for a website/web application to receive malicious code.

The opening quote is from an article on hostduplex.com's blog titled The importance of a Web Application Firewall for WordPress Sites by Idean Vasef

Why IT Security Education is important

The world is moving to a technology-focused style of operating, and that brings many security risks. If we don't have Jamaican citizens trained in IT security, we will have to pay for other countries to support us, which is not economical. - Gavin Dennis

More reasons why:

Jamaica is losing serious money because of Cybercrime

In an article by the JIS, Senior Advisor in the Ministry of Science, Energy and Technology, Trevor Forrest, stated that Jamaica lost US$100 million due to cybercrime, and a report for 2017 showed more than 230,000 threats detected in a month.

This year (2018) Verizon reported there were over 53,000 incidents and 2,216 confirmed data breaches.

Extract from Verizon's 2018 DBIR: "At first glance, identifying 53K+ incidents in only 12 months suggests an information security dystopia, an uneven playing field where the bad guys consistently win out."

JIS source: "Everyone at Risk for Cybercrime" Tomeica Gunn

Verizon Source Verizon 2018 Data Breach Investigations Report by Verizon

Why a clean website is important

Websites hosting malware may attempt to infect someone's computer through different methods or trick them into revealing personal data and then using that data to attack them digitally. These infections can be either intentional or intentional. In some cases, a user can be infected by simply opening an infected web page or downloading an infected file from an infected website.

More reasons why:

Websites with malware are likely to be downgraded in respected search engines.
People will avoid visiting publicly known infected websites, consequently leading to a business losing new and existing customers.
Business can suffer reputational damage and face lawsuits if their websites infect people's computers and cause loss.
Jamaica's Cybercrime law can charge companies in some situations.

Ref: Section 14 - "Offences by Bodies Corporate" of Cybercrimes Act of 2015

Why government support is important

Cyber Security is merely another branch of a national security effort. Why? Because now with the advances of technology someone can attack you digitally in ways just as bad as if it were physical, and that is a security risk that should be a government concern.

More reasons why:

The government is responsible for setting laws and have the authority to charge people for criminal behaviour.
The government leads the country's economy and makes the highest level of financial decisions concerning citizens.
The government has the primary responsibility to protect its citizens against harm.