In the wake of a series of cyber attacks that targeted Saudi Arabia government agencies and private firms, security experts have warned Middle East organisations to strengthen and prioritise their defences.
Middle East organisations, both public and private, are finding themselves at the forefront of the cyber security battle.
Some of the biggest cyber security attacks of 2016 were on several Saudi Arabia government agencies, which were targeted in a series of attacks over a two-week period, erasing data and wreaking havoc in the computer banks of the agency running the country’s airports and hitting five additional targets. The Saudi state media confirmed the attacks happened over a two-week period, in November 2016, but no further details were provided.
Experts said the attacks involved the use of a new variant of Shamoon (Shamoon 2), a malware tool that made headlines five years ago for erasing the hard disks of more than 30,000 computers belonging to petroleum giant Saudi Aramco.
In January 2016, Saudi Arabia’s telecoms regulator, the Communication and Information Technology Commission (CITC) warned organisations in the oil-rich kingdom to be on the alert for the virus, as the labour ministry said it had been attacked and a chemicals firm reported a network disruption.
Ahmed Baig, founder and CEO of the CISO Council, a non-profit industry body with approximately 4,000 members in the Middle East, said organisations in the region need to ensure cyber security is taken seriously at board and executive management level.
He said it should be addressed as a business risk and not merely as a technology problem as it threatens every aspect of an organisation, including business continuity and, most importantly, reputation.
“The recent wave of regional and global attacks have had consequences like never before,” he said. “The attacks have targeted critical infrastructure, central banks and popular internet websites with data breaches resulting in the compromise of billions of records.”
Read more about cyber security in Middle East
- Cyber security issues will be a major theme at this month’s Gitex Technology Week 2016 conference in Dubai.
- Hot on the heels of the Qatar National Bank breach comes a campaign employing advanced social engineering techniques.
- In this issue, we look at the security challenges facing organisations in the Middle East as they increasingly rely on digital technologies to engage with customers and citizens.
Organisations in the region need to proactively invest more in security by implementing the right controls and hire competent people or external security service providers. “As no one is immune to the cyber attacks, organisations in the region should start assessing their security posture and address the weaknesses,” said Baig.
He pointed out that cyber security maturity is lacking in most regional organisations in the Middle East, and more needs to be done considering the sophisticated and persistent attacks used by cybercriminals.
“Regional organisations are investing and working with external partners to implement security solutions and practices that are considered important,” he said. “However, it’s clearly not enough as the evolving threat landscape and advanced attacks such as Shamoon, Stuxnet and others have given an edge to hackers as they were able to gain access due to lack of holistic and inconsistent security practices.”
Organisations can’t afford one wrong move
Baig said what’s troubling with most attacks in the region is that adversaries have to be right just once to succeed in an attack, whereas the victim organisations have to be right always to protect their organisation.
Mohammad Amin Hasbini, senior security researcher at Kaspersky Lab Middle East, Turkey and Africa, agreed with Baig on the lack of security maturity in the region. He said the recent attacks highlight a lack of readiness and maturity of the organisations and employees.
“Keeping in mind that reaching the required levels of maturity is extremely difficult to achieve, IT security shouldn’t be treated as a technology issue but a pertinent business imperative,” he said. “It is not only about the configuration and protection of systems and data, it’s also about making sure that not a single employee makes a basic mistake.”
He added that recent cyber security attacks targeting organisations in the Middle East have showed that some of the most serious security vulnerabilities remain the most simple ones, such as phishing, poor passwords and unsupported software.
Middle East remains a cyber attack target
Nicolai Solling, chief technology officer at Dubai-based systems integrator Help AG, said the recent cyber attacks that rocked Saudi Arabia highlight that the Middle East is still a target.
Solling said what is unique about Shamoon and Shamoon 2 is that these types of malware are not created for financial gain, but to destroy or render a computer system unusable.
Christopher Green, regional director, Middle East, Africa and Turkey, at Malwarebytes, warned that an attacker will always have the advantage because he or she only needs to find one flaw in an organisation's security, whereas the latter must defend against a large number of potential weaknesses, not limited to software but also including the “human factor”.
The job of any organisation is to evaluate risk and prioritise areas where most efforts are needed in order to make the attacker’s job considerably harder. “Many of these kinds of attacks seem to be politically related, and attackers are continuously trying to breach their targets, even if it takes years to achieve that goal,” said Green.
He emphasised that the lack of visible compromise does not mean that threat actors aren’t trying or haven’t already succeeded while lying low until they get further instructions.
Governments must have a good backup policy
He added that, like any other organisation, governments in the Middle East must ensure that they have a good backup policy in place and that they encrypt their data any time that's possible. “Patching software vulnerabilities is important but not enough,” he said. “The kind of attackers wreaking havoc now are usually well funded and able to use zero-day exploits where no patch is available yet.”
He said signature-less protection that instead relies on behaviour attributes is well suited to counter such threats.
Looking to the future, Baig warned of the impact of future cyber attacks on physical systems that are part of smart and intelligence cities that are being implemented to gain the economic advantage and sustainability. “cyber security attacks such infrastructure could endanger human life.”