ANALYSIS: Cyber security
The digitalisation of data and information has enabled businesses to work more effectively than ever before.
Automated networks, interconnected devices and cloud computing are all enhancing global operations, driving efficiency, automating dangerous tasks and managing complex supply chains.
These improvements come at a potentially high cost, however, as increased connectivity exposes a wider network surface to an increasing number of complex cyber security threats. And as the world dives head first into the Internet of Things (IoT), with hundreds of millions of connected devices, the risk of networks being hacked, viruses triggered and critical business information stolen will only grow.
Moreover, the advancement of smartphones and tablets during the past few years – Apple’s first-generation iPhone was launched in 2007 – has brought about a previously unseen level of mobility and connectivity. This brings advantages for businesses, especially when employees are spread around various locations, but it requires a sophisticated level of security. Cisco reports that nearly half of Middle East employees (46%) bring at least one personal device to work, yet only 55% of companies have a Bring Your Own Device (BYOD) plan in place with 65% of employees not realising the dangers of BYOD.
Rabih Dabboussi, general manager, Cisco UAE, commented: “In general, Middle East organisations and employees do not realise the potential dangers of BYOD and are unprepared to manage their security. Among the most effective cyber-attacks are phishing, social media jacking that tricks users into clicking different pages, forcible re-directs to websites other than expected, adware and spyware.”
Part of the problem stems from the number of different types of software that data and information is viewed upon. For example, the Android operating system has multiple difference versions and updates for different devices, and developers can stop offering updates with older devices, leading to a more easily hacked system. To understand the loopholes and threats, firms should look at all different devices and find the most secure way to use them, so they can ascertain how attackers could get data.
“All Middle East organisations should assume they have been hacked. It is no longer if they will be targeted by cyber-attacks, but rather when and for how long,” Dabboussi asserted.
“Using methods ranging from the socially-engineered theft of passwords and credentials, to stealthy, hidden-in-plain-sight infiltrations that execute in minutes, malicious actors continue to exploit public trust for harmful consequences,” he continued.
Nicolai Solling, director of technology services, Help AG, says regional logistics companies should be taking the threat of cyber crime seriously.
“Any organisation that leverages IT systems to conduct business is a potential target for cyber criminals and logistics and supply chain companies are not exempt.
“Given how information and applications must be available on the go, and often readily accessed by business partners and third-party organisations, technologies such as cloud computing, and enterprise mobility have been widely by this industry. These introduce a number of attack vectors and raise concerns such as securing data in transit, on mobile devices, user authentication, etc.
“Disruption to any of the IT systems could cause a ripple effect down the supply chain resulting in the inability to meet deadlines, impact on partners and reputational impact,” he says.
Businesses have to keep pace with a rapidly changing landscape. It is predicted that there will be 50 billion connected devices by 2020 and 500 billion by 2030. Cloud technology will continue to advance, making organisations that lack proper infrastructure and processes in place more vulnerable to cyber-attack.
A more collaborative approach to security is needed, Dabboussi explained: “As the region embraces the era of the ‘Internet of Everything’, companies must realise that security is no longer the responsibility of IT professionals alone. Mobile operators, device manufacturers, software developers and businesses need to be on high alert for potential cyber spill over, especially with mobile malware.”
Threats will only become more complex, meaning companies need to protect weak links in their networks and adopt a business-oriented cyber security approach.
“Attacks are on the rise and a change in security integrations today is that they no longer just deal with preventing the attack, but now address how you react to it. As attacks are a persistent fact when working in an IT-enabled environment it also means that we can start to create real calculations of the cost and benefit of security. Or put it in another way: if the attack will happen, and we can quantify the cost of the attack, we can actually create a calculation of its impact. If these companies were to conduct such an analysis, I’m sure they would have a strong business case for enhancing their security posture,” Solling reveals.
Experts define cyber-attacks as an intrusion on a network infrastructure that will analyse an environment in order to exploit existing vulnerabilities within a system or an organisation. If the purpose is to learn and obtain information from a system without altering or disabling any resources, it is classes as a passive attack whereas an active attack is where data or resources is altered, disable or destroyed.
Discussing the possible motives, Solling reports: “One of the most common forms of cyber crime in the region is hacktivism. As a number of countries in the region are politically unstable, there has been a dramatic increase in the number of attacks carried out by organised cyber terrorist groups.
“A prominent factor in the increasing scale of hacktivism is the growing significance of IT systems in everyday life. Today, any large public or private sector organisation has an online presence and will certainly depend very heavily on a number of IT systems to carry out its day to day operations. Web-based applications and services are widely deployed as well and customers are more likely to engage with organisations through online channels.
“Given that any disruption to these services can cause an immediate and noticeable impact on the business, it is no wonder why hacktivism is such an effective tool.”
He adds that hacktivists often go public with their activities, which differentiates them to more organised groups or individuals who hack for a living. Solling notes: “These individuals or groups want to stay undetected for as long as possible and the noise generated from their attacks is therefore much less.”
“Often the victims themselves are unaware that their IT systems have been breached and the motivation for these attacks can range from disrupting business to cyber espionage and often financial gain. So while hacktivists may be a nuisance and also potentially have a business impact by taking out services I would still consider them less dangerous that the organisations, individuals or state sponsored groups who are targeting specific organisations and companies.”
Simon Goldsmith leads BAE Systems Applied Intelligence’s regional hub. He said due to the complex nature of sophisticated attacks, some companies never found out that they have been targeted.
He said: “They [the attackers] are able to evade all the monitoring systems and get through all the defences. Because they are using the kind of exploits that have not been published yet, or they are hiding in the massive amounts of security data that is in the organisation and they become very difficult to spot.”
It stands to reason that as any industry become more automated and technologically advanced – with more data being generated by sensors rather than people – its vulnerability increases.
Gert Thoonen, global process technical consultant, Rockwell Automation said the best protection is disconnecting from the internet but noted even that does not offer full protection.
He explained: “Having or getting access to the system is creating a risk so everyone who has access is a potential risk. There is not one single thing that can protect us from attacks. The common approach in all standard groups is an in-depth approach; a layered approach where each part takes a specific risk away.”
He advised companies to avoid standardisation: “Standard means open specification; everyone can buy or get a standard specification and see how it works. The good user will use it to standardise and integrate his product to connect to the network but the hacker will use it to find out where the weaknesses and open holes are to attack those systems.”
Hardening your IT infrastructure can make your company a far less attractive target, Solling advises, reasonsing that attackers will always go after the lowest hanging fruit.
He shares: “Any organisation should factor security in right from the planning and design stage. It is easy to view IT security only as an overhead and try to cut costs by focusing only on the functional aspects of IT.
“However you must remember that IT security is akin to insurance; no one likes to pay for it but when things go wrong, everyone is grateful to have it in place. And unfortunately, getting attacked is no longer a matter of if but rather when.
“I strongly believe that you cannot protect what you cannot see and therefore strongly advocate the use of network security tools. In order to be agile and provide required protection, security solutions need total network visibility, including physical and virtual hosts, operating systems, applications, services, protocols, users, content, network behaviour as well as network attacks and malware.”
He says correct fundamental architecture is the key differentiator in delivering a solid, scalable and future-proof technology platform to deliver protection for upcoming threats. At a basic level, he makes the point that having an informed employee is most likely “the single best defence to cyber-attack”, asserting that anyone operating a computer should have an understanding of what to do and not to do. It would be easy for employees to be tricked into visiting untrustworthy websites and triggering malicious downloads.
“Few organisations understand that enforcing IT security extends beyond the realm of IT teams alone. Every employee who connects to the enterprise network is a potential gateway for attackers to breach the organisations defences so a holistic security strategy must also take into account regular employee training and education,” Solling explains.
For their part, the respective GCC authorities are increasingly taking cyber security on board; in early 2014 the National Electronic Security Authority (NESA) published key policies and standards for dealing with cyber threats in the UAE, for example. The UAE is a leading target according to a report by Trend Micro on the Middle East, which suggested 24 million adware attacks took place in Q3 2014. Of these, 14 million were in Saudi Arabia, making it the region’s most desired country for cyber criminals, with the UAE second at eight million. By comparison, security threats in the rest of the Middle East appeared relatively low – a total of just two million.
Cisco’s 2015 Midyear Security Report, which analyses threat intelligence and cybersecurity trends, revealed a critical need for organisations to reduce time to detection (TTD) in order to remediate against sophisticated attacks by threat actors. The study found that operators of crimeware are hiring professional development teams to ensure their tactics remain profitable and cyber attackers are using Microsoft Office macros to deliver malware; Cisco described this as “an old tactic that fell out of favour but is being taken up again as malicious actors seek new ways to thwart security protections”.
Consequently, Dabboussi called on the technology industry to up its game by providing resilient products and services, while the security industry should be “vastly improved, yet meaningfully simplified, capabilities for detecting, preventing, and recovering from attacks”.
This advancement is a necessity as we progress and evolve. As Solling concludes: “Traditional security simply cannot protect against the complex malware types we are seeing today.”