By YOURI KEMP

Tribune Business Reporter

ykemp@tribunemedia.net

An information technology (IT) specialist yesterday said the Government must upgrade its systems in “layers” to prevent a repeat of recent hacks at the Registrar General’s Office.

Scott MacKenzie, chief executive of Cloud Carib, told Tribune Business: “From a security perspective, for any system it is not about any particular technology. People like to think that technology ‘x’ is better than technology ‘y’, but that’s not really the reality behind security. Security is about layers of activity, so you have to start from the physical layer and go all the way up to the logical layer, which would be the user interface.

“You have to start with where is it located. How is the physical access controlled, who has access to it physically, and then you have to work on it from an operational perspective - who has operational access, how do you secure the network. Then you start looking at the actual server itself and the application that resides on that server. So it’s about a huge laundry list of activities in order to say how do I make something secure?”

Carl Bethel QC, the attorney general, yesterday told the Senate during the 2020-2021 Budget debate, said recent hacks and intrusions at the Registrar General’s Department had “made absolutely clear the need for a systemic upgrade” across IT systems.

“This department holds valuable data pertaining to citizens, residents and businesses, and its services are a vital component of the ease of doing business in The Bahamas,” he said. “The Government, through the Department of Transformation and Digitisation, has seen fit to approve a much-needed software upgrade for the Registrar General’s Department, which will take place in the next six months.”

While he described previous alleged failures to upgrade cyber security at the Registar General’s Department as “water under the bridge”, Mr Bethel added: “We cannot, however, make the same mistake twice. Hence, the most aggressive steps are being taken to address any remaining defects.

“Going forward, and in line with our aim to increase efficiency and productivity, and the ease of doing in The Bahamas, the Registrar General’s Department earlier this year was authorised by Cabinet to enter into a contract, and is in the process of obtaining a state-of-the-art online corporate registry, which will be developed by the company that developed the corporate registry for a regional jurisdiction which provides exemplary financial services, and which is one of The Bahamas’ largest financial services competitors.

“The specific terms of the contract are still being finalised with the assistance of the Office of the Attorney General. The goal is to create a complete database for all company filings. The proposed system will have two platforms, one that will be developed specifically for use by individuals, and another that will be developed specifically for use by financial and corporate service providers.”

Mr Bethel said this registry will have a system for bulk payments to be made for up to 250 companies, while registered agents will be able to obtain a list of companies under its remit in an easily accessible format along with standard reports on any company. A notifications feature will provide automatic payment alerts prior to the imposition of penalties and fees.

Cloud Carib’s Mr McKenzie, responding to revelations by Mr Bethel that one hack at the Registrar General’s Department had gone unnoticed for five months, said: “What tends to happen is that one of the very complicated techniques that hackers are using today is something as simple as your human resources department.

“Let’s say a human resources department’s job is to look at resumes, but what a lot of hackers are doing is that they are embedding malicious code into PDF resumes and then sending those things to human resources. Then human resources people are opening these things, which add malware to their desktop, which then could infect servers and infrastructure if their desktop is not properly protected.

“That’s why I say it’s about layers, because in order to protect that security chain you should have stuff at the network edge that’s looking for malware. You should have stuff at the desktop looking for malware, you should have stuff on the servers that are looking for malware, because that is something that’s hard to protect against.

“At the end of the day, human resources departments are going to get resumes and they have to open it, because that is their job. By opening resumes that have malicious code, that malicious code is now on that computer system.”

Mr McKenzie said passwords were becoming less relied upon as a defence mechanism. “To be honest, from a password perspective, passwords are dying. Passwords will probably be extinct within the next five or ten years. That’s why companies are moving to basic facial recognition for authenticating users,” he added.

“It’s much better for people to move to things like one-time passwords or multi-factor authentication, and that’s why you’re seeing a lot of banks saying that even if you have a password, they are forcing you to get something on your mobile phone or a token or a key. So as soon as you add those two factors, it makes it more secure.

“There is a big movement in the IT industry to eliminate passwords altogether, and we will probably end up with pin codes like what you have at the automated teller machines, along with that one-time token that is sent to your mobile phone.”