Virtual Sentinel

The Middle East is entering an online world where viruses are becoming more virulent and hackers more malicious. If the region is to compete on a global scale it must address its lack of Internet and network security.

  • E-Mail
By  Matthew Southwell Published  July 24, 2001

The state of the region’s security|~||~||~|Attrition.org is a web site for hackers. Within its murky depths there is a list of companies that have had their carefully crafted web sites defaced by Internet rogues such as 'Linux Lover,' and 'Dark Code.' If you look carefully at this list then you will see that during the month of May at least three Middle Eastern sites had their security breached.

On the tenth it was the Gulf Area Oil Companies Mutual Aid Organisation, on the eleventh, the American University of Sharjah's library site, and on the thirteenth the Egyptian Cabinet, information and decision support centre. They joined the likes of Gulf News and Middle East Online, which suffered similar fates earlier in the year.

Fortunately, for the hosts involved, the defacement was more akin to having graffiti sprayed on the office wall rather than the company vault raided. Apart from the loss of face, the time needed to clean up the mess was all it took before normal business could resume.

A much more potent type of hacker is the insider, a disgruntled ex-employee who has been fired or laid-off, in their opinion, unfairly. The insider is not just testing their mental agility but is driven by revenge. The results of an attack from an insider can be far more debilitating and cost much more in terms of down time.

In addition to the hackers and insiders, there are the virus writers. Since the Love Bug and Melissa viruses crippled businesses around the world, sensitivity has been heightened. Viruses appear to be growing both more disabling and virulent.

It is clear that the online world can be a dangerous place to be and, because the Internet is a global phenomenon, the Middle East needs to be ready for it. Unfortunately, this appears to be far from the case.

Steve Crutchley, regional director, eTechSecurity, says that he hears of different sites being hacked every day, but people don't seem concerned.

While Andrew Tomes, Advanced Digital Technology, claims to have come across local companies where networks can be accessed in no time at all. "I do not believe that we [the Middle East] have grasped the full spectrum of security so far," says Moustapha Sarhank, president Middle East, IIS.

||**||Who is to blame?|~||~||~|The security experts give a number of reasons for this weakness, but they can be broken down into four main categories: culture, management, infrastructure and skills.

The region boasts a low crime rate and this appears to have lulled businesses into a false sense of security.

"There is a lot of trust in the Middle East — people walk around with lots of cash in their pockets and still feel safe. It is this attitude that they are taking with them into the online world," says Peter van Veyeren, operations director, eTechSecurity.

This naive attitude could present serious problems in the not too distant future. The warning signs are already there in the defacement of regional sites. If local hackers can break into web sites, then it is only a small step for others to enter networks and remove valuable data.

Masoud Sorkhou, managing partner, NSAG, blames the region's upper management. "As far as IT security goes the weakness stems from the management and boards of companies… we don't have [within the Middle East] IT knowledge at a high level and they don't recognise its importance," he says.

The speed of the technological revolution has left some companies struggling. They were just getting to grips with the Internet as an information tool when along came e-commerce. The education necessary to understand the entirety of the topic is something that often passes upper management by as it concentrates on core business objectives.

However, it is not just senior management that must come to terms with security issues. Assad Haddad, managing director, at payment solution provider Comsec, says that, "even IT managers are not really educated in security."

This lack of knowledge makes security a grudge purchase, as it has no apparent return on investment. Company hierarchies exacerbate this problem because many of the region's IT managers report to finance directors. This in turn creates the 'we can afford this much security' problem that leaves a company short of protection.

This speed of IT development and deployment has also affected the region's infrastructure. Crutchley claims that it can be third world at times as companies rush to establish a presence on the web without creating the correct back end systems. By running web sites on such systems companies are leaving themselves wide open to security attacks.

As if infrastructure problems were not enough, every piece of software has a bug in it anyway. Something like an operating system, because it has so many lines of code, presents hackers with a way into systems. Even the software patches used to correct such faults cause their own problems.

Companies, such as eEye Digital Security, scan the web for these security holes. They then tell vendors where problems lie, which in turn issues a hot fix for businesses to put on their servers.

But problems arise when these companies inform users via the web. Hackers are also made aware of weakness and can check web sites to see if they have employed the hot fix or not. If they haven't, then access can be gained.

The problem is made worse by the fact that businesses are often slow to apply these patches. Tomes explains, "they don't just want to put them on a live server - they often want to test it in a controlled environment first."

The age-old problem of skills doesn't help either. Farooq Hasan, marketing manager, Comtrust, complains that "a big problem is finding the right people to take care of the [security] issues." If an IT department is short handed then such fixes will take even longer to implement.

||**||The solutions|~||~||~|It is obvious that this state of affairs has to be rectified. However, the solution is not rushing out to buy the latest and greatest security software. It has to be approached in a methodical and proper manner.

Any security solution comprises three main components: policy, technology and training. However, before pursuing this triumvirate of safety there is the security audit.
If a business does not know where its security weaknesses lie then it cannot know what needs to be done to rectify them. This should seem obvious but, in the Middle East, it appears not to be the case.

"Companies need consultancy before they buy security solutions, but in Dubai they are unwilling to pay for it," says Tomes. He adds that some people just "don't want the advice."

The benefit of paying for independent consultancy is that, theoretically at least, it will be vendor neutral. In other words, a business will get a security solution that best suits its needs, rather than one that best fits the vendor's offerings.

However, it not being an ideal world, some companies are unable to afford independent consultancy. This is no excuse to bypass the audit though. Vendors such as Computer Associates (CA) offer security audits that are supposedly outside of its product range. Of course, once it comes to suggesting solutions there will be a CA focus - no matter what the company says. One independent expert recommends that cash strapped companies take advantage of a number of these free audits in order to develop an overall picture.

Any audit that takes place should consider the following things: risk assessment, existing security policies and procedures, suggestions on how to remedy problems, specific areas of weakness, measurement solutions and staff training.

Once audited, the first step to a secure business is through policies. According to Tomes, security policies either don't exist or are not enforced at present.

"For example, whilst the [company's] policy may say that passwords should be changed every month, in reality they are not," he says.

He has seen first hand companies where even the network manager ignores existing policy and, rather than change his password on a regular basis, leaves it blank or simply types 'password'.

The problem with a policy centric solution is two-fold. Firstly it costs more, as consultants have to be paid to come in and develop it, which, according to Crutchley, people don't want, and secondly it puts the ball back in the upper management court.

"Security policies mean more education for business managers," says Abdul Karim Riyaz, manager, Computer Associates Middle East.

And, as has already been pointed out, it is the business managers that are a large part of the Middle East's security problem. So the necessary management mind shift becomes even more pressing.

Once policies are in place it is technology time. Security solutions are typically made up of anti-virus software, intrusion detection, firewalls, virtual private networks, encryption, and public key infrastructure (PKI).

In addition to these basics, biometric technologies, such as fingerprint and retina scanning or DNA testing can be employed. Comtrust uses the first two in its data-hosting centre.

"The minimum requirement for any company is a firewall, intrusion detection and anti-virus software tied into continual security assessment," says Sarhank.

"Once you have your systems in place you should not be lulled into a false sense of security by having the technology. [For example], a firewall is only a piece of software and does not constitute a total security solution - it is only a part of it," he adds.

Comtrust's Hasan believes there is a lot of confusion surrounding security technology within the Middle East. It is this lack of understanding that has led eTechSecurity's Crutchley to discover customer sites where software just sits in its box.

Tomes believes that although the issue can get complicated - for example, should you have an intelligent firewall that checks the information packet itself or a normal one that blocks only on port numbers - the basics should be easy.

"The solution to this is to tie down as much as you can with a firewall and then implement security audits," he says.

However, caution is needed when configuring firewalls because, as Tomes explains, if this is not taken then companies are still open to abuse.

Riyaz explains that it is not just an issue of using security technology within your own business. "You also have to work with your suppliers to ensure that they use PKI and virtual private networks [to ensure security]," he says.

Although virtual private networks (VPN) are rare in the Middle East they are beginning to grow in popularity. For example, Ernest & Young have recently begun using a regional one.

"VPN's are slow to market [in the Middle East]… a lot of this is to do with the ISPs and connection issues though," says Comsec's Haddad.

Public Key Infrastructure (PKI) is another security technology that has been slow to gain local market penetration. Haddad believes this is because it is a complex solution that can take about 12 months before it is up and running properly.

"[PKI] is very expensive - it can cost up to $1 million at times if installed properly - so there is no great take up in the Middle East. Instead, we are seeing digital certificates being used," he explains.

||**||Managing the technology|~||~||~|Once technology is in place it needs to be managed. The best example is if an employee is dismissed. If his/her network access is not removed then it doesn't matter how advanced intrusion detection software is the ex-employee can still access the network legally. Crutchley claims to have been into banks around the world where they have had 5,000 people with network access that should not have been on the system.

The obvious way to deal with this issue is to ensure that network managers are informed of employee departures. However, across the enterprise this personal communication can be difficult. The human resources and IT departments may not even be in the same building.

Another solution is to automate the process. CA provides a cross platform solution that changes settings automatically. For example, once the human resources department removes an employee from the payroll system network access will be removed.

The monitoring that a network manager completes internally has to be mirrored with regards to the outside world. Tomes states that "every company has to have someone that looks at the log files each day to detect intrusion."

However, some local companies that employ intrusion detection are not using it properly. "I have seen security measures running only between the working hours of 9-to-5 and switched off for the rest of the time," says Crutchley.

Anyone that thinks monitoring is just a case of shutting the stable door once the horse has bolted would be wrong, according to Tomes.

"A hacker will often try for weeks before he gets into a site. If you see this then you can have the firewall block that IP address," he says.

Any security solution has to be supported by adequate training. Riyaz explains that everyone in the company - from the CEO down - needs to know their role in security and how they can be the weakest link.

“Training has to be done throughout the enterprise, but it is particularly important to train your security officer. He has to know all of the installed solutions and understand the issues,” says Haddad.

Yet even this is not as simple as it first appears. Sarhank believes that taking your network administrator and training him to be a security officer may be too much responsibility for one person. Haddad argues that security is so far removed from plain networking that they may not have the skills anyway.

Putting a cost to this technology and training is difficult. Sarhank, says, "security is related to the value of your [data]. The more valuable your information the more security you need."

This is fair enough, but it doesn't give a company starting from scratch anything to work from. Tomes is more forthcoming. He reveals that consulting prices can range from 1000 Dhs per day to $1000 per day, depending on how many consultants you use and from where, whilst basic firewalls start at 5,500 Dhs and can go up quickly to $100,000.

"Companies have to work out how much it would cost if their competitors got hold of their information, and then ask whether or not you protect it at all costs," he says.

||**||Outsourcing the problem|~||~||~|For those lacking the financial clout, outsourcing is becoming an increasingly attractive option, especially with small-to-medium sized enterprises. "In some SMEs we are seeing outsourcing as many SMEs in this part of the world cannot afford to employ a full time security officer," says Sarhank.

In addition to being more cost effective, outsourcing gives a company access to a number of experienced consultants. By employing a specific person they quickly lose market exposure and are less keyed in to market issues.

Whilst solving a multitude of problems outsourcing also causes its own. The first of these is how to choose the right company to outsource to.
"A company needs to go to a neutral consultant, such as Aberdeen Group or Gartner, and check with them who is the best for an outsourced solution. They also have to meet the people. By interacting with them, you get a sense of their credibility," says Sarhank.

Despite the doom and gloom surrounding security adoption within the Middle East there is some hope. As more sites suffer defacement and the issue grows on a global scale the Middle East cannot fail to react. CA's Riyaz is positive about the future. He believes that "the level of security in the Middle East is higher than it was two years ago, and it is continuing to improve."||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code