Cyber-attacks a question of 'when, not if'
Middle East energy firms in particular facing increased risk of cyber-attacks, says Juniper
Businesses in the Middle East, particularly in the energy sector, should be thinking in terms of when they fall prey to cyber-attacks, rather than if, according to Adrian Pickering, vice president of the MEA region at Juniper Networks.
Pickering explained that, due to the Middle East being a region rich in fossil fuels, attacks on oil, gas and energy firms are becoming widespread. As an example, he highlighted the recent threat made on Middle East energy firms by hacktivist group Anonymous. The group promised a cyber-attack on or before 20 June.
"With many petrochemical firms in the region being state owned, these threats against companies are putting governments, the economy, as well as citizens, at risk," he said.
Pickering said that these firms are even more at risk now because of a "fundamental asymmetry" created by the passive nature of traditional security defences. These defences, which he described as the ‘castle and moat' strategy, involve investing in large security stacks to block perimeter attacks. However, he said that this strategy should be discarded because cyber-attackers will eventually find a way into a corporate network.
"The ‘castle and moat' approach is ineffective at stopping modern attacks because it makes the perimeter the single point of failure and all attackers need is a single breach to achieve their objectives," he explained.
However, Pickering warned against going too far in the other direction - i.e. returning assault or taking action against attackers. He said that this route would simply lead to greater escalation, and would also be swamped with ethical concerns. Instead, he explained that enterprises needed to reach a medium ground that he described as ‘active defence'.
"A better approach is active defence, which looks to actively disrupt attackers when they are attempting to attack an organisation's infrastructures, but without crossing the line and risking retaliation," he said.
"Active defence focuses on identifying and disrupting attackers once they set foot on a company's digital property, but not pursuing them out into the public domain."
To adopt active defence, Pickering called on all types of organisations - from the security industry and government to enterprises and legal bodies - to come together to establish new norms of engagement. He said that organisations such as the Dubai Centre for e-Security was a positive step in that direction.