Author: Musa Drammeh

The recent cyberattack on The Gambia’s Central Bank underscores the critical vulnerability of critical infrastructure to cyber threats. The incident, which occurred in late May 2024, resulted in hackers compromising a server and potentially stealing two terabytes of sensitive data. Preliminary investigations indicate that the attackers exploited an unpatched vulnerability in the bank’s server software, enabling unauthorized access. While the identity and motives of the perpetrators remain unknown, initial analyses suggest the involvement of a sophisticated group with potential financial or political objectives. Though there is no confirmation of public data leaks, the compromised data likely includes Personally Identifiable Information (PII), raising significant concerns about privacy and identity theft.

Lessons from Similar Attacks

Sanusi Drammeh, Director of Cybersecurity at the Ministry of Communications and Digital Economy in The Gambia, stated, “In 2023, we intercepted a ransomware attack on our Central Bank.” Similar incidents globally highlight the critical need for robust cybersecurity measures. For example, the 2016 Bangladesh Bank heist involved hackers exploiting vulnerabilities in the SWIFT banking network, resulting in the theft of $81 million. Additionally, the 2020 cyberattack on New Zealand’s stock exchange disrupted operations for several days. These incidents underscore the necessity for comprehensive risk management and advanced security controls, lessons that are directly applicable to The Gambia incident.

Value of NIST Frameworks

The Gambia, along with other regional African countries, has begun to recognize the critical importance of cybersecurity policy and frameworks. Efforts are being made at both national and regional levels to enhance cybersecurity measures and protect sensitive data from increasing cyber threats.

For instance, the African Union (AU) has developed the African Union Convention on Cyber Security and Personal Data Protection (AUCC), which provides comprehensive guidelines and policies for member states to bolster their cybersecurity posture. Similarly, the Economic Community of West African States (ECOWAS) has been actively working on regional initiatives aimed at improving cybersecurity frameworks and fostering collaboration among its member states.

In The Gambia, the government, through the Ministry of Communications and Digital Economy, has formulated the National Cybersecurity Policy Strategy and Action Plan 2022-2026. This strategic plan is built upon seven key pillars

  1. Cybersecurity Industry
  2. Legal and Regulatory Frameworks
  3. International Cooperation
  4. Capacity Building, Education, and Awareness
  5. Institutional Framework and Governance
  6. Critical Information Infrastructure Protection
  7. Building Cybersecurity Capabilities

While there are a number of governance and framework models that are available, two standout frameworks that should be considered are the NIST Cybersecurity Framework (CSF) and NIST Risk Management Framework (RMF). Here’s a closer look at each:

  • NIST CSF:

    The NIST Cybersecurity Framework (CSF) is a comprehensive set of guidelines and best practices designed to help organizations manage and reduce cybersecurity risks. It consists of five core functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a structured approach for organizations to:

    • Identify

      Their cybersecurity risks

    • Protect

      Critical infrastructure and data

    • Detect

      Security events

    • Respond

      Effectively to incidents

    • Recover

      From disruptions

  • NIST RMF:

    Specifically utilized by the whole of the US federal government to protect its sensitive data, the NIST Risk Management Framework (RMF) is a set of guidelines that provides a structured approach for managing security and privacy risks in information systems, and it integrates security and risk management activities into the system development lifecycle. The RMF consists of six steps:

    • Categorize

      The information system and the information processed, stored, and transmitted by that system.

    • Select

      An initial set of baseline security controls.

    • Implement

      The security controls and describe how the controls are employed within the information system and its environment of operation.

    • Assess

      The security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.

    • Authorize

      Information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation.

    • Monitor

      The security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Key Distinctions between CSF and RMF

The NIST Cybersecurity Framework (CSF) and the NIST Risk Management Framework (RMF) are both critical tools developed by the National Institute of Standards and Technology to enhance cybersecurity and manage risks, but they serve distinct purposes and are applied differently.

The CSF provides a high-level, strategic approach to managing and reducing cybersecurity risk across an organization and emphasizes a continuous improvement cycle to help organizations align cybersecurity activities with business requirements and risk management processes. Whereas the RMF provides a detailed, comprehensive process for managing security and privacy risks for information systems and emphasizes the integration of security and risk management activities throughout the system development lifecycle.

The CSF is designed for use by any organization, regardless of size or sector, to improve its cybersecurity posture. Meanwhile, the RMF is mandated for use by US federal agencies and contractors, though it too can be adapted by private sector organizations. Organizations can use these frameworks in tandem to address both strategic and operational aspects of cybersecurity risk management.

The Way Forward: How Could These Frameworks Have Helped?

Implementing frameworks like NIST CSF and RMF offers several significant benefits:

  • Standardization:

    They provide a standardized approach to cybersecurity, ensuring consistency and thoroughness across the organization.

  • Risk Management:

    These frameworks help in systematically identifying, assessing, and mitigating risks.

  • Compliance:

    Following NIST guidelines helps organizations meet regulatory and compliance requirements.

  • Continuous Improvement:

    Both frameworks emphasize continuous monitoring and improvement of security measures.

  • Incident Response:

    They enhance an organization’s ability to detect, respond to, and recover from cybersecurity incidents.

The Importance of Establishing a Similar Framework in The Gambia

While the NIST framework is not directly applicable in The Gambia, its underlying principles and benefits can prove invaluable. Implementing a similar framework would provide The Gambia with a structured approach to cybersecurity, facilitating systematic risk management and enhancing the security posture of critical infrastructure. Such a framework would ensure comprehensive risk assessments, robust security controls, and effective incident response plans.

Key Takeaways for The Gambia Central Bank

The recent hack on The Gambia Central Bank serves as a stark reminder of the importance of proactive security measures and a holistic approach to cyber risk management. As an experienced Information Security Officer (ISO), my observations and recommendations include

    1. No System is Immune:

      Even institutions like central banks, assumed to have robust security measures, are vulnerable. This underscores the need for continuous evaluation and enhancement of security practices to preempt emerging threats

    2. Adopting and Implementing Frameworks:

      Frameworks like NIST CSF and RMF offer a structured approach to cybersecurity. Don’t just be aware of them – actively implement them. This means:

      • Conducting Thorough Risk Assessments:

        Prioritizing vulnerabilities, particularly in critical systems like financial data and infrastructure .

      • Implementing Strong Security Controls:

        Both the NIST CSF and RMF advocate for the implementation of robust security controls to protect IT infrastructure, including servers. These controls can significantly reduce the risk of breaches and mitigate the impact of successful attacks. Here are several critical controls:

        • Risk Assessment:

          Conducting independent risk assessments can identify potential vulnerabilities and gaps in the Central Bank’s IT systems, including the compromised server.

        • Multi-Factor Authentication (MFA):

          Implementing MFA can prevent unauthorized access to servers and other critical systems by requiring multiple forms of verification.

        • Regular Security Updates and Patching:

          Keeping all software up to date and properly configured reduces the risk of vulnerabilities being exploited by attackers.

        • Network Segmentation:

          Separating high-value components from less sensitive systems and networks can limit the scope and impact of a breach.

        • Data Encryption:

          Encrypting sensitive data at rest and in transit ensures that intercepted information remains inaccessible to attackers.

        • Incident Response Plan (IRP):

          Developing and regularly testing a well-defined IRP enables organizations to quickly detect, respond to, and recover from security incidents.

        • Access Controls:

          Implementing strict access controls, including least privilege and role-based access control (RBAC), helps ensure that users only have access to the information and resources necessary for their roles.

        • Security Monitoring and Logging:

          Continuous monitoring and logging of network activity can detect unusual behavior and provide valuable insights during an investigation.

        • Security Awareness Training:

          Regular training for employees on recognizing and responding to security threats can help prevent incidents caused by human error.

        • Backup and Recovery:

          Maintaining regular backups and a robust recovery plan ensures that data can be restored quickly in the event of a ransomware attack or other data loss incidents.

        • Penetration Testing:

          Conducting regular penetration tests can identify security weaknesses and provide actionable recommendations to improve security measures.
          By implementing these (and other) controls, organizations can create a multi-layered defense strategy that significantly enhances their cybersecurity posture and resilience against attacks.

    1. Balancing Technology with Human Factors:

      While technology plays a critical role, the human element is equally vital in maintaining security. This entails:

      • Training and Awareness Programs:

        Educate your team about security best practices, identifying phishing threats, and recognizing social engineering tactics.

      • Securing User Access:

        Enforcing stringent access controls and password policies.

      • Regular Security Audits:

        Conducting thorough internal and external audits to identify weaknesses and ensure the efficacy of security measures.

    2. Prioritizing Communication:

      Open and transparent communication with stakeholders during a crisis is essential. Establish protocols for disseminating timely and clear updates about security incidents.

    3. Staying Informed:

      Given the dynamic nature of cybersecurity threats, continuous education and awareness are crucial. Stay abreast of emerging threats, vulnerabilities, and industry best practices through participation in security conferences, subscriptions to security newsletters, and engagement in online security communities.

In essence, the breach at The Gambia Central Bank underscores that cybersecurity is an ongoing endeavor requiring vigilance, adaptability, and continuous improvement.