With no major worm outbreak in the past two years, CIOs are feeling much safer now. That should be good news but complacency may be setting in without big attacks grabbing headlines.
“CIOs’ top priorities are improving business processes, controlling costs and retaining customers. Security fell out of the top 10 priorities,” said Gartner security analyst John Pescatore. One of the problems, he said, is that enterprises are not thinking about security for new threats. Firms may have old threats covered, but it is the new scenarios that carry the big bang.
“New products and new technology are creating new holes to exploit. Businesses have not done the threat modelling,” said Pescatore.
The software powering mobile phones, for one, is getting less heterogeneous by the minute as Windows Mobile gains market share. That means the list of potential victims is growing. In addition, people tend to trust files sent via text messaging.
Researchers at McAfee Avert Labs concur. They expect an increase in web dangers and threats targeting Microsoft’s Windows Vista operating system, among other new or increased threats.
“Threats are moving to the web and newer technologies such as VoIP [voice over internet protocol] and instant messaging,” said Patrick Hayati, regional director, McAfee Middle East.
“Professional and organised criminals continue to drive a lot of the malicious activity. As they become increasingly sophisticated, it is more important than ever to be aware and secure when traversing the web.”
Then there is the ever-present internet espionage currently being used by over 100 countries, which is becoming more of a trend by the day, according to a McAfee report. The study finds that the number of cyber-espionage incidents and computer attacks on critical national infrastructure are rapidly increasing around the world.
“This is the rough consensus of the security experts we have spoken to, and a credible figure given how low the barriers to entry are. All you need is a few computer science graduates,” said Ian Brown, lead researcher for McAfee and a security expert at Oxford University.
This year saw a record number of incidents in which countries reported an attempt to infiltrate their information defence systems or an attack aimed at disrupting key organisations such as air-traffic control, financial services or utility companies.
One of the highest-profile incidents was in April, when Estonian officials accused Russia of mounting a series of cyber-attacks that brought down the websites and information technology networks of state institutions such as the president’s office, ministries, parliament and the police, as well as political parties. The press and banks were also targeted.
Earlier this year, Dubai eGovernment said one of their platforms was attacked by hackers attempting to corrupt data and damage websites. No financial or personal information was accessed or damaged, it said.
Salem Al Shair, eServices Director, Dubai eGovernment, explained: “We have two platforms. The eHost and the eHost Plus. While eHost Plus is highly developed and hosts very sensitive sites, eHost is less developed and hosts limited data sites.
“The hacking incident happened in the eHost, the first time it was penetrated. eHost Plus has never been, and hopefully never will be, penetrated. We have had hundreds of attempts to penetrate eHost Plus but so far no one has been successful.”
Even though Dubai eGovernment had Dh55 million of transactions online last year, there is no rewarding information on either platform, Al Shair said. “A hacker cannot get any financial gain. We do not keep any credit card or bank information. Financial matters, which a lot of people are worried about, are very well protected and will not be available.
“Personal information is just in the range of name, age and date of birth. The only thing that we worry about is that someone comes in and damages some of the files. It takes substantial effort to bring them all back again.”
But even obtaining personal information can pose a huge personal security risk, said John Paul Moralde, ENSB Operations Engineer at EastNets Dubai.
“Corrupt individuals can use this information against their victim by pretending to be the victim. Having a victim’s personal information can leverage the culprit’s malicious intent by consistently using this information to personally harass the victim,” he said, adding that computer-related laws in the UAE are not very well implemented.
“IT systems in the Middle East are not that mature but a lot of efforts are being made to address this problem,” Moralde said.
The Middle East is now placed second in worldwide IT security services spending with the Americas region topping the list according to a recent report from market analyst IDC. The company said in its latest report on the region that expenditure on security appliances and software grew by 60 per cent in 2006, with the market forecast to grow at an average rate of 23 per cent each year through to 2011.
Growth in the financial sector, and an increasingly sophisticated enterprise sector are driving demand, according to the report. Security expenditure is focused on perimeter defence, with threat management solutions making up 56.4 per cent of 2006 total spend, marking a growth of 61.2 per cent year-on-year.
Spending on secure content management is also high, taking up 24 per cent of expenditure, and security and vulnerability management rank as third-highest expenditure with 11.4 per cent.
The biggest spenders on security solutions are government, which accounts for 26.9 per cent, followed by telecommunications and finance, with 22.6 and 21.2 per cent share, respectively.
Saudi Arabia makes up the bulk of spending, accounting for 41 per cent of the market, with the UAE second with 31.2 per cent. IDC predicts that all GCC markets will continue to show double-digit security spending growth in 2007, with Saudi Arabia expected to grow by 45 per cent, the UAE by 36.6 per cent and Bahrain, Kuwait, Oman and Qatar as a whole by 27.2 per cent.
“The IT security market benefits heavily from investments in basic infrastructure by companies across the region, which inevitably includes threat management and secure content management technologies,” said Vinay Nair, senior analyst at IDC MEA. “A large number of firms are making increasingly sophisticated investments in information leakage detection and prevention technology.”
Unlike many states in the US, there is no legal requirement in most parts of the world to disclose data breaches to the public. Moreover, there is no centralised organisation to which businesses can report computer crime, a factor businesses claim is very frustrating.
“There is no specialised authority to report e-crime other than the local police station – and they have little understanding of it. It is a major problem,” said David Roberts, Chief Executive of Corporate IT Forum, which represents computer users in about half of the FTSE 100 companies.
According to Dubai eGovernment’s Al Shair, Dubai has a dedicated police unit called the e-crime division. “I’m sure they operate with the collaboration of Interpol and other anti-crime agencies in the world.”
Asked if e-culprits can be convicted in Dubai, he said: “There is a local law issued by the government on e-crimes. But to be frank, I haven’t gone through the whole thing.” Al Shair added that Dubai is not an exception to the rise in e-crimes. “This problem is not limited to Dubai. Criminals are using technology to commit crimes in organisations around the world,” he said, citing the CIA and Pentagon as examples.
According to US-CERT, there were 5,000 cases of e-crimes reported in the US in 2005, which rose to 23,000 in 2006 and in the first quarter of 2007 alone 19,000 incidents have been reported.
The US Government has spent $64 billion (Dh234bn) on information technology systems, out of which eight per cent has gone to security. The UK Government spends 11 per cent of IT expenditure on security.
“Still, 62 per cent of their businesses have been hacked one way or another,” Al Shair said.
“The issue of being hacked is not a taboo. It is the same old fight between good and evil. However, we have to understand this is long war. When you improve your security, the hackers do the same.”