Researcher's Analysis of results
Feedback from Gavin Dennis on what the findings mean for both Jamaican businesses and citizens
Summary of Sample Size - 285 top Jamaican Businesses
285 TOP corporate websites of Jamaican businesses were examined for basic security controls. A "top" business was identified based on a combination of its considerable income, size, economic impact, and popularity among Jamaicans. First, 22 operating categories were selected after assessing the local business categories operating in Jamaica. Next, the top 10 to 15 businesses in each category were selected, and their main corporate website analysed. Additional generic security checks were done which were independent of the 285 websites, such as the level of government support, and educational opportunities.
Below are the main questions the research wanted to answer using only publicly available information.
- How many websites automatically load in HTTPS and how well is their HTTPS configured?
- How many websites respond with expected security headers when browsed?
- How many websites seem to use a web firewall to protect themselves from attacks?
- How many websites publicly hyperlink suspicious files and URLs for users to select?
- How many post-secondary institutions offer courses focused on IT security qualifications or training?
- What kind of support does the Government of Jamaica provide for Cyber Security?
Overview, and Description of Coloured Ratings
The best and poorest performers in our sample included businesses that earned the highest and lowest in either their industry or entire sampled group of 285. This result suggests there was very little relation between the earnings of top Jamaican businesses and how well they implemented basic security controls on their corporate websites.
Nationally, Jamaica has support for Cyber Security, through the government implementing a National Cyber Security Strategy, a Cybercrime Law and National Cyber Emergency Response Team (CERT). During the period of research, the Data Protection Act was not yet finalised.
Meanings of coloured ratings across this report
Most businesses (over 50%) achieved poor results, which means they failed to implement basic security controls on their corporate websites. This performance considered a combination of whether they automatically load their websites in HTTPS, set expected security headers, use a web firewall and their website was free from suspicious files.
Businesses in the sub-categories of Computers and Technology, Government Ministry/Agency, and Retail on average performed just as poorly as businesses without any above average responsibility/expectation or natural IT expertise to implement basic Cyber Security controls on their corporate website. This suggests that businesses with a more natural pool of technical IT support poorly implemented basic security controls on their websites.
Top Performers (B+ to A on average):
Only 1 (0.4% | 1 of 285) local business scored an "A" in all basic security checks. That means only one (1) top business enforced HTTPS with strong cyphers, set expected security headers appropriately, used a web firewall, and had no detection of suspicious or malicious content. This company was NOT from the category of Computer Technology, Retail nor Government. This company is in the Audit and Accounting Services category. Let that sink in. An audit firm outperformed all top businesses, even those providing security services. This proves that implementing the analysed controls is a realistic goal for Jamaican businesses.
The best performers were large businesses that were regulated and could face hefty fines, such as those in the Payment Card Industry (PCI). Their smaller and far less regulated competitors fell surprisingly short in some areas and even achieving a failing grade (f) in the minority of cases. This suggests that regulatory or legal compliance requirements motivate businesses more to adopt good security practices.
Additionally, top-scoring businesses either have publicly known IT security staff or is a subsidiary or franchise whose parent company was based overseas.
Only 16% (46/285) of websites were detected using a web firewall, which was surprisingly low. A reliable web firewall service can be purchased for as little as US$10 per month. A good web firewalls dramatically helps to block common and uncommon website attacks. These attacks come in different forms, and not all are trying to gain unauthorised access to data. Some attacks try to overload a web server so it will crash and become unavailable to intended users (e.g. potential and existing customers).
Some forms of attacks that web firewalls help to block are:
- Injection Attacks
- Exploits for unpatched components
- Information disclosures
- Fuzzing attempts
- Zero-Day Exploits
Websites with Suspicious or Malicious Files
An anti-malware scanner flagged only a few websites (1%) for hosting a suspicious or malicious file/link. Although attackers commonly hide malware in private folders (not hyperlinked) of compromised websites, such a low count was good considering how poorly most websites performed in other security checks.
Google has previously declared that websites displaying signs of being hacked (compromised) will be highlighted in their search result with "This site may be hacked". Additionally, it is reasonable to expect that Google may down rank such websites to protect users of their search engines and to maintain their image of caring about web security. This is something businesses must realise and understand how it can impact their online reputation towards new and existing customers.
The Government of Jamaica has taken smart steps to implement a National Cyber Security Strategy, National Incident Response Team, and a Cybercrime Law (Cybercrimes Act). All of which should strategically help protect Jamaicans from the rising threats and risks of Technology and cyber criminals.
- Jamaica's National Cyber Security Strategy should help to lead the development of the local Cyber Security Industry and support national security.
- Jamaica's National Computer Emergency Response Team's (CERT) primary purpose is to "assist in the protection of Jamaica’s Internet infrastructure by coordinating defences against and responses to cyber attacks and threats"- JIS. This is good because many 1st world countries have already created a similar response team.
- Jamaica's Cybercrime Act provides "criminal sanction for the misuse of computer systems or data and the abuse of electronic means of completing transactions and to facilitate the investigation and prosecution of cybercrimes." - Min. of Justice*.
- The Government of Jamaica has drafted a data protection law (called the Data Protection Act) which "seeks to strengthen citizens’ ability to control the use of their data and to proactively decide how it can and cannot be used by third parties" - caribbeannewsnow.com**.
*Quoted from a post on the Ministry of Justice's website titled Cybercrimes Act
**Quoted from a post on CaribbeanNewsNow.com titled Could Jamaica’s Data Protection Act shield politicians from journalistic scrutiny?
The findings from this research indicate there is much room for both business and personal opportunities. Some of those are listed below:
- Cyber Security entrepreneurs have clear opportunities to support businesses in securing their websites.
- Students can identify where local businesses are performing poorly and can now position themselves to be more of an asset at the interview stage. E.g. Learning how to harden website and web servers (especially Linux web servers - the most popular in our sample of 285).
- Post-Secondary institutions can start investing in providing Cyber Security courses to meet the local and international market demand from businesses.
- Business should now have a better understanding of common shortfalls and how these can affect their competitive rankings and online customer base.
- Citizens should be better educated why their security as a user is important and should be valued.
- Businesses may start to lead by example especially since the internet is moving towards being more critical of websites that use poor security such as unencrypted connections (HTTP).
Key Recommendations to Businesses
- Put more focus on developing people with the skills to help your business protect its digital assets.
- Create more job roles focused on computer security and continuously empower your security staff to become trained and qualified.
- Don't be afraid to invest in training for technical and non-technical staff. The cost of recovering from a compromise will often outweigh your avoided security budget.
- Reasonably compensate suitably qualified security professionals. The more you earn, the more you will become a target and can lose financially from a compromise.
- Review your websites and web applications periodically to find security issues. Promptly fix significant issues to minimise getting compromised, especially quick fixes.
- Empower your web support staff with training so they can positively contribute to your business' cyber security effort.
- Periodically backup your entire website’s content to ensure it can be recovered quickly should it become compromised.
- Do your best to protect users browsing your businesses website by using HTTPS, setting security headers in responses and periodically checking for signs of compromise.
Recommendations to Web Developers
- Stop reusing user accounts to manage different corporate websites.
- Get training in web security and try to include basic security as part of your sales package. Include checks such as changing default usernames, enforcing strong passwords, tightening access controls on sensitive directories and files, checking for common information disclosures, setting security headers, and implementing HTTPS.
- Before you deliver a website to a client, at least run a vulnerability scan and fix the issues.
- Offer after sales support to clients to help them maintain good security during site updates changes and new security discoveries.
- Give clients a disclaimer who do not want security configured as part of their package because if you don’t, it could make you look bad as a web developer should the site become comprised because of something you "should have done".
- Avoid using the name of your client's business as your administrative login username. Also avoid publicly known usernames such as "admin", "administrator", "root", where possible.
Recommendations to Cyber Security students
- Invest in learning the cause of different types of security vulnerabilities and focus on finding solutions.
- Until Jamaica starts to create more degrees and qualifications focused on security, do online research for different international certifications, their requirements and where (in Jamaica) you can go to get training or sit the exams.
Recommendations to Policy Makers
- Write simply worded policies so staff can better understand what is expected. Also, empower your management team more to develop the knowledge and skills needed to handle daily security issues, and hold them accountable.
Recommendations to the General Public
- Learning about Cyber Security is a great way to apply the principles of being proactive and reactive to protect your digital assets. Although many make it seem to be all about computer systems, that’s not the case. Through basic research and a fresh perspective, you can learn principles to help you live a happier and better-protected life. Try to think deeper than the surface.
What could go wrong?
There are numerous discussions in the media around Cyber Security, and while it may be just business for many, poor computer security can cause serious trouble in someone's life for them and their family. Below are some real examples from outside of Jamaica to give you some perspective.
- Large reputable businesses have lost millions of records containing personal information on people because their security was breached.
- Attackers continue to send deceitful emails to people who get tricked into disclosing personal details which are then used to steal money from their bank account or commit identity fraud.
- Health care institutions have had their client's data encrypted and forced to pay a ransom
- People have been bullied online (cyberbullying) into committing suicide.
- Your health record being disclosed or sold online.
- All your money being stolen from your account a day before a potentially life-saving surgery.
- All your being stolen from your bank account a day before your university's deadline and you're final exam is tomorrow.
- Your home address and family's personal details being disclosed to the internet.
Below are some links any business should find helpful to start assessing and implementing important and expected security practices on their websites.
Assess HTTPS Configuration
- SSL Server Test by Qualys - a free online service that can analyse the configuration of any SSL web server on the public Internet.
Assess Security Headers in responses
- Security Headers by Scott Helme - a free, quick and easy way to assess how well security headers are implemented on a website.
Implement a Web Firewall
- Cloud Flare - Offers a cloud-based Web Application Firewall (WAF) service that's very user-friendly.
- Sucuri - Offers a cloud-based Web Application Firewall (WAF) service popular for WordPress sites.
- Radware - Offers a cloud-based Web Application Firewall (WAF) and more.
- Incapsula WAF - Offers a cloud-based Web Application Firewall (WAF) service, targeted to corporate customers (IMO).
Google Search security expectations
One website disclosed an administrator’s username which included the word “lazy”. The affected website did NOT implement ANY of the basic security checks analysed - Implying they are true to their name - LAZY!
Now, as a business leader that's not the kind of attitude you want someone to bring to your business. These types of things happen for multiple reasons, such as low staff morale or lack of awareness. These are sometimes subtle signs of more significant issues.
About this report
This report is an independent assessment by Gavin Dennis, a Cyber Security Consultant, to give educational awareness to Jamaicans about the state of security on local websites they likely visit.
Whenever reasonable, cite this report by crediting the researcher and providing a link back to this site - https://reports.gavindennis.com/cbrj
Please do not plagiarise. Thank you.
If you have any feedback, concerns, or suggestions, please contact the researcher at [email protected]