The smarter technology gets the more opportunities there are for cyberattacks. As threat levels are elevated to unprecedented heights, companies, governments and security experts are frantically re-assessing how they manage the risks
On October 21, hackers unleashed a spectacular attack on the internet, bringing down websites including Twitter, PayPal, Spotify and Netflix for almost the entire day.
The attack on internet services provider Dyn, which controls many of the world’s servers, has been described by experts as the largest of its kind in history — and one that many organisations would have been powerless to prevent.
In a blog post after the attack, Dyn’s executive vice-president of product, Scott Hilton, said the cause of the outage was a distributed denial of service (DDoS) attack, in which a network of computers infected with malware were manipulated to bombard a server with traffic until it collapsed under the strain.
The malware used in this instance was a piece of software called the Mirai botnet, previously unseen by analysts, it was said. Unlike other botnets (typically, computers), the Mirai is made up of internet of things (IoT) devices such as smartphones, web cams, televisions and watches. Because there are so many internet-connected devices today, Mirai attacks are substantially larger and faster than other DDoS attacks.
Hilton said the Dyn attack had involved an estimated 100,000 malicious ‘endpoints’, and that there had been reports of an attack strength of 1.2 terabit per second. “This is approximately twice the size of any similar attack on record — it’s massive,” says Hans Nipshagen, Akamai Technologies’ Amsterdam-based regional leader for web and security for the Middle East and North Africa (MENA) and Central & East Europe.
Nipshagen, along with other information security experts, says the Mirai botnet is part of an emerging global trend of large and complex cyberattacks that are difficult to spot and even more difficult to prevent in an increasingly digitalised world.
“If we look at the threat landscape today, we see that the size of attacks is increasing in terms of bandwidth,” he tells Arabian Business. “The attacks are also increasing in complexity, rendering traditional ways of identifying and blocking malicious traffic obsolete.”
This is especially true in the Middle East, he says. “Companies in the region typically select two key ways to protect themselves. First, using a device in the network of the local provider to stop certain traffic coming into their country, known as ‘geo-blocking’. The second way is to build a fence around your service provider or network, overlaying it with security infrastructure.
“However, the thing with this new Mirai development is that in countries such as the UAE or Saudi Arabia, which have among the highest mobile penetration rates in the world and a large number of internet-linked devices, geo-blocking will no longer work because the hackers will create an in-country botnet using local provider protection. That’s easy, as the devices are there.
“Similarly, relying on your own network to mitigate those attacks is [impossible]. There is no single provider on the planet that has the capacity to cope with such an enormous attack.”
Aside from the Mirai botnet, other, more established forms of attack are on the rise. ‘Ransomware’ campaigns, which threaten to steal data or disable a computer unless they pay a sum of money, are extremely cheap to carry out, Palo Alto Networks’ global chairman and CEO Mark McLaughlin told Arabian Business.
“It’s child’s play to string together computer power to launch major attacks; you and I could rent it from the internet for a couple of hundred dollars.”
Peter Tran, general manager and senior director of the Worldwide Advance Cyber Defense Practice at RSA, says cybercrime is one of the biggest threats facing businesses today. “Information security is threatened as never before due to a convergence of business and technology developments — the advent of ‘big data’; use of public clouds for core business functions, and the explosion of bring your own device (BYOD), where employees have one mobile device for both corporate and personal use.
“It’s not a question of whether an organisation will be breached, but when. And the stakes are high. One devastating attack can wipe out years of steady revenue, cutting-edge research or a trusted brand,” says Tran.
Listed software firm Trend Micro reported that in the first half of this year alone it had blocked 29 billion threats, mainly ransomware, representing more than half the total number of blocked threats over the whole of 2015.
Globally, the US accounted for the highest level of ransomware detection at 20.7 percent, followed by Brazil with 17.5 percent and Turkey with 8 percent. On average, Trend Micro sees 250 million threats a day, it claims.
In the GCC, Trend Micro says it has detected a 55 percent increase in threat levels quarter-on-quarter in 2016. The UAE has the highest number of malware detections — an average of 91,956 per month — followed by Saudi Arabia with 87,876, Qatar with 21,293 and Oman with 10,173.
“Advanced persistent threats are stealthier and more sophisticated than ever, using insidious social engineering techniques to quietly penetrate an organisation and deploy customised malware that can live undetected for months,” says Ihab Moawad, Trend Micro’s vice-president for Mediterranean, MEA, Russia and the CIS.
“Then, when you are least expecting it, cybercriminals can remotely and covertly steal your valuable information, from credit card data to more lucrative intellectual property or government secrets — potentially destroying your competitive advantage or, in the case of government, putting national security at risk.”
The release by Wikileaks of hacked emails from the personal account of US Democrat candidate Hillary Clinton last month are an example of a politically motivated cyberattack. It was part of a series of hacks of Democratic targets that US intelligence officials allege were orchestrated by Russia to influence the election.
Another security concern in the region is the number of malicious mobile application (MMA) downloads, according to Trend Micro. The firm is seeing around 225,018 such downloads, harbouring on average 6,856 different viruses. Saudi Arabia has the highest number, averaging 51,716 per month, followed by the UAE with 49,937.
Another regional trend is the rise in online banking malwares. Saudi Arabia is the worst affected with 213 malwares a month, followed by the UAE with 124, according to Trend Micro. Last month, cybersecurity firm Kaspersky Lab revealed that a mobile banking Trojan, or malware, known as ‘Svpeng’ had been discovered in Google’s advertising network AdSense. Within two months, Svpeng was detected on the Android devices of around 330,000 users with the rate of infection peaking at 26,000 victims in a day.
“Ransomware, targeted attacks and financial threats are the biggest risks affecting Gulf-based businesses today,” claims Ghareeb Saab, senior security researcher for Kaspersky Lab. “Saudi Arabia, the UAE and Qatar are hotspots for cybercrime, possibly due to the presence of abundant natural resources.”
Indeed, there are alarming instances of cyberattacks, sometimes state-sponsored, on physical infrastructure and utility networks across the Middle East. Examples include ‘Stuxnet’, which sabotaged Iran’s nuclear programme in 2009 and 2010, and the ‘Shamoon’ attack on oil giant Saudi Aramco in 2012, in which around 30,000 of the company’s computers were infected by a self-replicating virus that caused significant disruption by indiscriminately deleting data from computer hard drives.
Although it did not result in an oil spill, explosion or other major fault, Saudi Aramco’s business operations were disrupted and it took almost two weeks to recover. “It is likely that some drilling and production data were lost,” the International Institute for Strategic Studies noted in an analysis in 2013, and added that Shamoon also spread to the networks of other oil and gas firms, such as RasGas.
RSA’s Tran points to a live example of a regional campaign, called ‘Moonlight’. The hackers behind it were active as recently as last month, he claims. They use social engineering mechanisms to get home-based internet users to click on YouTube videos and other seemingly innocuous social media posts. The malware then stays hidden in the home network until the attacker chooses to activate each and every node, Tran says.
Security threats are no longer sector specific, experts say, although banking and financial services continue to be a target for obvious reasons, and the education and healthcare sectors are vulnerable because they store reams of personal information. The rise of state-sponsored cyberattacks means critical infrastructure such as oil and gas, electricity and telecoms are all high-priority sectors.
There are, however, factors that escalate the threat level for Middle East businesses, says Abdullah Mutawi, Dubai-based partner at law firm Baker Botts: “We’re in a pretty affluent region, which means Gulf populations tend to have a higher disposable income and a far higher number of IoT-connected connected devices than in other parts of the world.
“Think of mobile penetration rates — estimated to be at least 200 percent here — Fitbits, smart watches, smart home technology, even a television in Dubai is likely to be an internet-connected Smart TV, where somebody in Eastern Europe could happily be sitting there watching what’s going on in a Middle Eastern sitting room through the camera in the TV. It’s very easy to do.”
Mutawi says ‘smart’ devices are such tiny pieces of equipment that it is difficult to build a large amount of security defences into them, making them vulnerable. Also, much of the region’s public transport is new and automated, so hackers could potentially instigate a ‘kinetic’ attack on the Dubai Metro’s control system, for example, and commandeer a devastating attack. “It’s scary stuff,” he says.
MENA governments are projected to spend $11.7bn on IT products and services in 2016, according to Gartner, and, with more and more digital devices generating and storing volumes of data, the threats are unlikely to dissipate. The good news is that governments are picking up the pace on raising awareness and taking action to fight cybercrime. The UAE’s National Electronic Security Authority (NESA) is working to create a national cybersecurity framework, while Qatar in November approved a draft National Privacy Law aimed at protecting online personal information.
Last month, the first female Emirati was appointed as director of New York University (NYU) Abu Dhabi’s Centre for Cyber Security. Hoda Al Khzaimi says the centre is aiming to devise a strategy for integrating cyber defences in a more holistic manner than before. “The industry keeps applying the same security methodologies to new technologies,” she tells Arabian Business.
“We really need to move on from this because it’s not working. If it was, we would not have so many persistent threats, and we would not see governments and major entities being attacked by different groups.
“Major stakeholders need to be protected and they have the money to protect their assets, but what they’re doing is not enough. Is it because they’re not investing? No, the problem is the way they handle cybersecurity.”
Al Khzaimi says one of the biggest misconceptions when it comes to cybersecurity is that only networks and computers need defences. “Anything that holds data — all these biochips and robotics and apps — they all need a system of security around them. What we’ve been doing wrong is to apply classical approaches to new innovations.”
Cisco estimates cybersecurity will drive $7.6 trillion of digital value over the next decade and technology firms are jostling to compete for business. Many have recognised the gaps in security strategy noted by Al Khzaimi and are devising highly complex methodologies to beat the hackers.
Scott Manson, cyber security leader for Middle East and Turkey at Cisco, says: “Most organisations have a wide range of disparate technologies and processes to protect themselves, however, these systems don’t work together, which limits visibility and control.
“Even simple password protection is not sufficient. Decision makers must think more along the lines of using contextual-aware security that incorporates multiple factors into the authentication process.”
Harish Chib, vice-president, MEA, at Sophos, claims his firm is doing something that has never been done before in the IT security market: providing both end user and network security.
“We’re leading a new wave of security innovation we call ‘synchronised security’, which for the first time, allows endpoint and network security products to share threat intelligence with each other.”
BlackBerry, which has announced plans to exit the smartphone manufacturing market, spotted a lucrative niche in security consultancy and has set up an Advanced Security Assurance division. Nader Henein, regional director of advanced security solutions, tells Arabian Business the rapid pace of technological innovation is creating a mass of unsecured IoT devices. Cars, medical equipment, home appliances are retrospectively wired up to the internet even when security systems have not been embedded into these products at development level. This, he argues, is bordering on “criminally negligent”. BlackBerry works with clients, such as healthcare device manufacturers and airlines, to embed security into products at factory stage, and map out vulnerabilities in existing devices.
Baker Botts’ Mutawi says the rise of cybercrime is giving birth to new business areas, such as legal advisory to help firms comply with international standards and draw up HR policies to protect sensitive data; review supply chains to identify where liabilities lie, and conduct cyber-related due diligence both internally and in the case of a merger or acquisition.
“We are also seeing a rapidly growing market for cyber insurance — some of the world’s biggest underwriters are introducing cyber policies,” he says.
Still, cybersecurity is not yet a “boardroom topic” in the region and this needs to change, Mutawi adds. The threats rising up from the dark web on a daily basis are of huge concern in the digital world in which we live, and it will take concerted efforts from all parties to beat the bad actors.