Cyber Security Ecuador
I started working with the Ecuadorian government in February 2012. There were many challenges that the government were facing. Firstly in the security of the nation’s systems and networks, and secondly in its data management. There were a number of threats that were the focus at the time: Denial of Service, Malware, Identity theft, Misuse of data and Phishing.
I worked along with Christian Chicaiza Security IT Director, Juan Carlos Castillo Infrastructure Director, Gabriel Llumiquinga IT Security Specialist and two IT Security analysts David Arce and Karina Zhamungui. We also interacted with people from the developing team lead by Wilson Flores, and our boss Medardo Mesias, Infrastructure and Security Coordinator.
As part of a team we effectively researched and developed new technology based security projects for the National System of Public Data (SINARDAP, Spanish acronym). Proactively managed security tools, such as: firewalls, IPS, IDS, Antivirus, Load Balancer. Monitored and secured cloud infrastructure, including creating security cloud infrastructure weekly reports.
We also designed, developed and managed security procedures for the SINARDAP. Updated, implemented, and monitored standards, policies and security procedures. Proposed strategic maps to improve the security on the cloud infrastructure.
We established the requirements to secure the following systems; National Public Data Registration System (SINARDAP, Spanish acronym), National Property Registration System (SNRP, Spanish acronym), National Mercantile Registry System (SNRM, Spanish acronym). We restructured the security backbone of all Registration Institutions and National Public Data Recording Address (DINARDAP Spanish acronym), by implementing endpoint, perimetral, database security amongst others.
This meant next generation firewall connected and controlled from the main city and backed up in other cities. IDS, load balancers, access control to web servers. Endpoint security on every computer and server of the institution, which includes antivirus, antispam, port access control and dlp. Access security and database control. Configuration and control changes in servers. CCTV on every Registration Institution to ensure physical security, including biometric systems on specific doors, fire and humidity detection systems, because cybersecurity must be complemented by physical security.
As well as dramatically improving cyber security, through these protocols we made it possible for people to get access to their own public data by accessing one website. We have also created the Infodigital System, which is a website that only public institutions can access. They are able to search for citizen public data when they need it, eliminating the use of ID copies and other procedures between institutions. It also reduced the waiting time of the citizen on each procedure.
Government systems are a fundamental part of a nation’s organisation and political decisions can jeopardise its stability. Some cyber attacks are derived from political decisions that have caused inconvenience to citizens. Therefore, it is advisable to create a business continuity plan, and increase the monitoring of network architecture and systems, especially the most sensitive ones such as health, traffic, national security, among others.
Our work reduced the waiting time to complete procedures in commercial registries, property registries and other institutions. On the other hand, the government institutions use the infodigital system internally, so citizens perceive this improvement through the reduction of paperwork. At the beginning, the system generated controversy among citizens since their public data can be consulted from a single access point. However, the standards used, the policies and procedures implemented and the equipment and configurations made generated confidence in the internal and external users of the system.
Confidentiality, Integrity and Availability of the Data
Sometimes when adding protection to the information, we forget about the users work. When adding layer after layer of protection, we also add obstacles to users making their work complex. This is why we must keep in mind the CIA triad; confidentiality, integrity and availability of the data, to ensure that data must be available to authorized users, so it can be modified only by them.
Confidentiality: Data must be accessed only by the authorised users. For example; In a sales company, the sales staff should have access to the customer database, while human resources staff does not need to.
Integrity: Data must be correct and accurate, that’s why it should only be accessed by authorised users. For example; Dr. Alice has access to her patients’ medical records and can generate prescriptions. Changing prescription information could result in a patient’s death.
Availability: Data must be available when need it. For example; The university’s academic year begins and students want to register but the system does not show the available courses. Or even worse, the system is unavailable.
Securing a Nation
Key vulnerabilities are specific to all nations or organisations, it depends on what you are trying to protect, the company, society and even that particular moment. There are some vulnerabilities that exist in the UK, but there are not exploited in South America because we use different devices or systems. For example, more than 50% of people in the US use iOS while in Ecuador is less than 20%.
Therefore, the attacks to iOS vulnerabilities is less in Ecuador than in the US. This does not mean we don’t have to protect ourselves, it means it is not a priority. Every system, company and society need to be analysed before listing the vulnerabilities that has to be addressed in order to prioritise them.
At that particular time, we were focused on types of vulnerabilities. Network: during data transmission. Internal users: For authorised access to data and prevent misuse of them. Unsolicited system changes. Denial of Service: monitoring of requests to the system. System Registration: Create procedures so that the citizen owner of his/her data is the owner of the account, avoiding identity theft.
Personal and Professional Pride
Ever since I started working at DINARDAP I felt proud of myself. Being part of an exceptional group to implement large projects such as; SINARDAP, SNRM and SNRP, that reduce the waiting time for citizens, has been a big part of my life. Knowing that I worked for the citizens and not for a company filled me with pride every day. In August 2013, I began my masters in Forensics IT, I achieved a scholarship to continue my studies but this unfortunately bought my role with the government to an end for the time being.