Under Siege

A plethora of security solutions exist on the market today, however as bandwidth increases in the Middle East and malicious code gets more destructive, industry leaders say the myriad of solutions may just be confusing the market. They claim the only way to make best use of sophisticated security solutions is through education.

  • E-Mail
By  Davin Hutchins Published  January 3, 2005

|~||~||~|In early December, on one of the busiest holiday weekends of the year, Dubai’s ATM network had a major compatibility problem. With thousands of visitors in town for the Dubai 7’s, visiting revelers were shocked to find out that they couldn’t withdraw money from any ATM. Even local residents couldn’t withdraw money for several days unless it was from their home bank.

The official cause, according to the Central Bank of the UAE, was “a problem” with the Dubai mode of the UAE Switch ON/X system, which links up all the ATMs. There was no evidence that the glitch was the result of malicious intent, but the incident illustrates how vulnerable banks are to technical snafus and how disruptions can send shockwaves through the economy. Many ATMs ran out of cash. Less cash was in circulation, impacting merchants and consumers alike.

Although many banks in the Middle East are beefing up their security, Kevin Issac, Middle East regional director for Symantec hopes it doesn’t take an incident like this for financial institutions to take an even harder look at emerging threats. But he’s skeptical.

“I think it’s going to take something very public and very real for people to understand,” says Issac. “You need points of inflection to change people’s thinking unfortunately. We should be proactive with security instead of doom and gloom. We have to give them facts and we have to give them ways to improve their abilities,” he says.

A plethora of security solutions exist on the market today, designing products to fight against worms, viruses, spam, Trojan horses and bot-laden e-mail.

But as bandwidth increases in the Middle East and malicious code gets more destructive, industry leaders say the myriad of solutions might just be confusing the market. They claim the only way to make best use of sophisticated security solutions is through education and awareness.

According to research firm IDC, Middle East’s security software spending reached US$52.9 million in 2003 and was estimated to increase another 25% by the end of 2004. Optimistic figures put the segment at US$145 million by 2008.

More than 25 vendors are competing for the region’s market share, including Symantec, Trend Micro, RSA Security, McAfee and Internet Security Services. Even though most vendors have installed the basics like spam filters and firewalls around the perimeter of their business, the new spending push is in secure content management (SCM).

“There are essentially two types of threats facing the enterprise – internal and external threats,” says Heini Booysen, senior analyst at IDC CEMA's Software Group. “Even though external threats like viruses, Trojans and spam far outnumber internal threats, often it is internal threats that can cause the most damage.”

According to IDC, more than 60% of IT security sales in the Middle East have been for secure content management software purchases. More and more, security managers are realising that what goes on inside a firm can pose more threats than what lurks outside.

“Internal threats basically comes down to an individual employee using inadequate passwords, inappropriate employee access, lack of password updates and corporate,” says Booysen. “In the region, more time and money is spent on fighting external attacks instead of drafting a formal security policy for employees.”

Employees interface with the outside world every day via e-mail and interacting with websites. Occasionally, an employee unwittingly invites intruder code onto a network. If thorough internal security structure is not implemented inside, it’s hard to track down the devil inside.

A common technique is “phishing.” That’s when an outsider solicits sensitive information by disguising itself as an internal communication or mechanism.

“I receive e-mails from banks in the Middle East warning me about phishing,” says Symantec’s Issac. “There have been viruses and worms written that name specific banks which try to get information or ask for your details at your banking facilities. I’m not talking about international banks with branches here. I am talking about local banks. I would say that area that’s the most anemic right now is the financial services industry.”

Every six months, Symantec releases its Internet Security Threat Report. Unlike many similar reports that survey IT managers, Symantec gleans real time threat data from its users and compiles it to spot trends. Among the findings, bot-infected computers worldwide rose from 2,000 at the beginning of the year to more than 30,000 by mid-year. Distinct variants of bots rose by over 600%.

Trend Micro is a long-time security player, focusing on virus protection for desktops, LANs, HTTP and FTP servers. It recently announced the launch of its VirusWall 300, designed to protect regional ATMs against Internet worms at network endpoints.

Although no system can be totally immune, the vendor hopes increasingly sophisticated anti-viral solutions can prevent things like ATM blackouts. But Justin Doo, Trend Micro’s managing director, Middle East and Africa, agrees that techniques like phishing is blurring the line between internal and external threats.

“We know of one instance when a particular company was targeted by a phishing e-mail which was trying to get the names of the key people in the organization on their database, presumably to be used as a recruitment drive.” says Doo. “What they did was spoof an e-mail to make it look like it came from within the company which said something like ‘we are updating our HR database, please confirm private e-mail addresses, phone numbers, etc.”

National Bank of Abu Dhabi NBAD) is the UAE’s largest bank in terms of total assets, deposits and branches. NBAD uses Trend Micro’s anti-viral software. Srood Sherif, Head of I.T. for National Bank of Abu Dhabi (NBAD) says another big concern for banks is ensuring patch updates keep pace with mutating threats.

“Patching is a must to do task,” says Sherif. “It could cause organizations a lot of damage if not taken seriously. All organizations should have a patch management process in place whether automated or otherwise. Desktop operating systems, mainly Microsoft Windows, has had many vulnerabilities that require regular patch updates, which could lead to e-banking threats. User ignorance about phishing and static passwords are another major threat.”

One of the major security concerns over the past year, and a textbook example of problems with security integration, was the August release of Windows XP Service Pack 2. Microsoft named 60 applications that may not work once SP2 was installed. Many included were enterprise solutions by Computer Associates and Symantec.

“[The SP2 problem] is a prime example of lack of integration,” says Naveed Moeed, Technical Consultant with RSA Security. “As much as possible, all vendors – RSA Security, Trend Micro, Surfcontrol and Message Labs – try to keep up with integration. However, occasionally one of the big guns issues a software change that has wide repercussions.

Another example is when Novell released a service pack of their latest software which failed to function with some existing encryption and authentication software. The industry had to play ‘catch-up.’ Early this year, Symantec, Trend Micro and Network Associates joined forces with Cisco Systems for Network Admission Control (NAC).

Essentially, when desktops and servers on a network don’t reach predefined patching levels, they are shut out until they are upgraded. Security software was one of the first niches to reach maturity in the Middle East. A competitive landscape has bred consolidation but not necessarily good integration, says Sherif Shaltout, senior information analyst for Internet Security Systems (ISS).

“The real problem of Security Integration stems from the absence of a standard framework that allows the various security tools in use today to communicate with each other and more importantly understand each other,” says Shaltout.

“Even within a single vendor product range, integration continues to be a problem. This is due to the fact that most of the security titans in the game today grew by acquiring other smaller companies in order to fill a certain gap in their product portfolio. Integrating inherently different products that were originally designed to act as stand alone products is always a cumbersome task that most vendors fail to accomplish correctly.”

Shaltout says ISS has tried to guard against this by trying to develop new security modules based on its own technology. He says integration is still a major concern of end-users.” Security administrators would typically have to deal with different Firewall, IDS/IPS, antivirus and assessment technologies and try to analyze and manually correlate the millions of alerts generated by these tools hoping to find that hidden security breach.”

ISS has wrapped its web filtering, mail security and emergency patching into its Proventia product family. ISS is also among the second round of vendors that would engage in the Cisco’s NAC Initiative.

Amro Elfiky, ISS’s Technical Marketing Executive based in Cairo, feels software is becoming integrated and sophisticated enough that a company’s security team can be streamlined. “The advantage of today’s security offerings is that you do not need a dedicated security team to be protected,” says Elfiky.

“You do however, need to instigate and enforce a proper security policy, together with a robust security appliance/suite. This can be handled (pending on organisation size) by one person.”

But Symantec’s Kevin Issac disagrees, saying security policy should not emanate from the IT manager outward but rather from the boardroom inward. “Ownership of security in SMB’s should not be left to the IT manager,” says Issac. “You have to make sure your reporting structure adequately creates usability at the boardroom level.”

Trend Micro’s Doo sounds off a similar warning citing coming compliance standards like the Basel II accords in Europe. A Basel II standard, in which all G-10 banks must comply by 2007, not only requires transparent balance sheets and lending practices, it creates a common standard on securing financial data.

“In Northern Europe and the US, most firms have a chief security officer, normally at the board level but not part of the IT department,” says Doo. “They realise the security officer should not sit within the environment he is assessing. If you’re IT manager is your security officer, he is reviewing networks, applications and devices he signed off on a year before. He is likely to be less impartial,” he adds.

“There is a lot of liability being built into security. Basel II mandates companies must have a certain amount of data security if their banks are to continue offering lines of credit at rates they enjoy. Someone who cannot demonstrate strong data security be charged or denied credit. When you make the board responsible as a collective whole, the board finds someone they want to own the problem, hence a chief security officer. Because at the end of the day, they don’t want to go to jail for it.”

Symantec is starting a corporate security awareness program to complement its products. “It makes people who don’t care about technology more aware,” says Issac. “Secretaries, clerks, etc. It goes through various modules discussing passwords, firewalls, and viruses. We are talking front-line information. You have to train those people.”

Training and raising awareness is fine and good. But re-training employees on emerging technologies when products, threats and patches are constantly morphing often sends them back to square one. The re-learning curve can often impact corporate productivity.

Take wi-fi networks for example. Having laptop users remain mobile while connecting to public and private wireless networks enables them to stay productive on a more personalised time schedule. But wi-fi networks, especially public ones, use a different architecture than LANs and security problems abound.

RSA Security conducted a survey this summer in Europe that found a third of European businesses were not encrypting their data properly over wi-fi networks. Some firms in countries like Italy left 75 percent of their wi-fi data unencrypted.

RSA is a worldwide market leader in data security, authentication and digital certification with products like RSA SecurID. Still, secure transmission of data while retaining productivity is a major concern in the Middle East.

“I have an interesting tale,” says RSA Security’s Moeed. “We went into one of the regional Gulf banks and met the Head of Technical Services. The moment we were introduced, he asked ‘RSA? Yes? You're the security people?’ I responded with a yes, at which point he grabbed my arm and said ‘Come with me!’ For two minutes, he literally frog-marched me to the desk of the bank’s highest-level security administrators and said ‘Look! Just look! We trust this man with one of the most secure systems in the Middle East.’ Taped to the middle of his desk was a list of all the admin passwords to the systems. “Make this problem stop for me,

||**|||~||~||~|Productivity issues were a major concern for Tejari, one of the major B2B e-commerce portals in the Middle East, where wholesale buyers and sellers can match products and services in a virtual marketplace.

“Our number one problem was outbreaks of e-mail viruses and spam mail,” says Rhada Krishnan, Director of Technical and IT at Tejari. “The spam alone took away from productivity as people had to open and delete it. At least, one to two hours out of the workday to delete. Then of course, genuine mail got deleted. In addition, 60% of our volume of mail was spam which slowed down our network.”

With advice from Fusion Distribution, a local vendor of RSA Security, Surfcontrol and Message Labs security solutions, Krishnan implemented e-mail filtering from Message Labs, which solved the problem. Fortunately, there have been no compatibility issues so far.

“Message Labs is non-intrusive and works fine with Trend Micro,” says Krishnan. “One good thing with Message Labs is it gives you a 6-hour head start on new viruses. Now we are focusing on SSL secure certification as we upgrade from Oracle Exchange from 6.2 to 6.25. But it’s a hide-and-seek game. Once you fortify something, people come out with something new which could make you vulnerable.”

That is especially true as bandwidth increases throughout the Middle East. It’s a classic catch-22. Narrower pipes slow the spread of viruses and bots, but also corporations ability to patch and update viral definitions. A broadband universe locally speeds up reaction times, but also means ISPs and DSL users open new potential windows of vulnerability.

“One of the latest viruses was based around the vulnerability of new broadband connections,” says Fusion’s Tim Martin. “When people leave broadband connections open 24-7 at home, that is what is really fueling the bot problems. I don’t think that local ISPs are taking it seriously enough.”

“Security technologies and best practices will have to keep pace with the escalation of threats,” says IDC’s Booysen.” Even with the number of certified security professionals growing in the Gulf region, the demand for these professionals is currently exceeding supply. Many vendors and users are increasingly looking for all-round security professionals - someone who can administer any brand and version of firewall and intrusion detection, is network-savvy, can code and is versed in new technologies like XML, .Net and Wireless applications. An understanding of the security business, including its regulatory issues, is also being sought.”

Firms will find it hard to leave its security to ‘jack of all trades.’ Trend Micro’s Doo says vendors must reach consensus while maintaining a spirit of healthy competition.

“I would advocate anything that is truly independent of Trend Micro, Symantec or any vendor. What’s needed is a government body that could advise people on security issues without trying to advocate a certain product. Conversations always seem to head toward, ‘You need security and by the way, we can provide three new firewalls and encryption.’ If there was an independent body without vendor affiliation, that would be utopia.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code