Several high-profile security breaches around the world grabbed the attention of the Middle East IT industry, but it has taken the first major attack on a regional organisation – the devastating ‘Shamoon’ malware attacks on Saudi Arabian Aramco – to really bring it home that cybercrime is something CIOs should be taking very seriously. Ben Rossi delves into the issue that is engulfing the Middle East.
Hacking has changed. Hackers have changed, to be exact. It’s no longer teenage boys sat in their bedroom drinking cola, munching on chips and gaining recognition from their peers for bringing down a Website.
It’s now something far more serious. It’s organised crime, it’s an industry in its own right and it can have destructive consequences on the victims. Those that do it have even been given their own name – cybercriminals.
Take Saudi Arabian Aramco as a key example. The ‘Shamoon’ malware set about wiping parts of the master boot record (MBR) on the hard drive of any Windows system it could reach – a technique designed to cause chaos on target networks. It succeeded, reportedly destroying 30,000 systems.
“Those endpoints have to be rebuilt and I don’t know how to measure that in terms of loss of revenue, but I would think that it’s millions or even tens of millions dollars worth of revenue,” says Nick Black, Senior Technical Manager, Trend Micro.
Asides from the direct financial loss of an attack, there are several more indirect consequences of suffering a breach. “There is a loss of face, loss of trust of their customers and the impact of losing customers to competitors – all of which are not measurable but have a massive impact,” Black says.
A step ahead
One would be forgiven for wondering why, with all the awareness and security solutions around, we continue to see these high-profile breaches. Are the hackers keeping a step ahead of the solutions being made available?
“Hackers will always be a step ahead,” says Alaa Abdulnabi, Regional Pre-Sales Manager, Turkey, Emerging Africa and Middle East, RSA. “No one can predict the next attack on a certain organisation or the vector that will be used. We have to realise that we are living in a state of compromise and we must learn how to survive it.”
It’s important to recognise that security is a process and not a set of technologies, no matter how good they are, according to David Emm, Senior Regional Researcher, Kaspersky Lab.
“There always remains the human factor in security. The starting point for many attacks is to trick someone into doing something that compromises their or their employer’s security. So yes, technology that is able to block attacks is needed, but people also need to understand the threat and what they can do to reduce the risk,” Emm says.
The cyber espionage threat poses serious long-term consequences not only to a company’s profitability and competitiveness, but also a country’s national security, according to Roger Cressey, Senior VP, Booz Allen Hamilton.
“The implications of being subjected to a security breach by cybercrime are vast. It has happened in the U.S. and now it is occurring in this region,” Cressey says.
Abdulnabi adds: “The nature and intention of the attacker plays a big role. A nation-state hacker in almost all cases will not be after financial gain. Attacks could cause reputational damage, service disruption, sensitive information loss, government and defence secrets leakage, and God forbid human life loss.”
Organisations must remember that it is indeed a real crime and the law is there to protect them, but only if they are prepared.
In 2006 the UAE government brought in the Information Technology Crime Control Law, also known as the Cybercrime Law, with the purpose of criminalising unlawful activities that people perpetrate using computers.
However, due to the high difficulty of tracing attacks that come from a computer, in 2007 the UAE Telecommunications Regulatory Authority (TRA) set up the Arab Emirates Computer Emergency Response Team (AECERT), whose role is to support the identification and prosecution of cybercriminals.
Preparing for war
For organisations to take advantage of these laws, they must put into place security management programmes that comply with ISO 27001. If they are attacked, they then have the information that is required by AECERT to pursue the cybercriminals.
If they don’t have those programmes in place, the laws are practically useless to them and the criminals will likely go untraced and unpunished, according to Paul Allen, Head of the IPT Group at global law firm DLA Piper.
“Cybercrime is highly important in the region and globally. The important thing is for organisations to put in place a programme that complies with best practice and to implement it so that if they are attacked the authorities can help them to investigate,” Allen says.
Cybercrime is no longer an issue that organisations can ignore or dismiss as something that won’t happen to them. It is clear that every organisation, no matter how large or small, is a potential target, and the rise of mobility in the enterprise only poses more challenges.
“There is no doubt in my mind that it will get worse,” Black says. “I think we will see exponential growth in cyber attacks. Android for me is a massive risk. Anyone can dump applications in Google Play Store, so we’re going to see exponential growth in vulnerabilities of end points and entry points simply through the ineffectiveness of Android as a secure operating system. That’s a massive issue.”
Abdulnabi agrees that cybercrime is not going away and the issue will only exacerbate.
“In the Middle East specifically, the volume of attacks will increase and nation-state sponsored attacks are likely to occur more often, reflecting the political tension in the region. It is important that we accept that we are living in a state of compromise. This will require adopting a new security model that is agile, risk-based, contextual and intelligent,” he says.
Cressey adds: “Cyber security is now a fundamental requirement of every organisation that develops or delivers value.”