By Sarah Gain
E-commerce is no longer a value-add but an obligation if enterprises aim to meet the service expectations of customers. However, falling short of security best practices, organisations are leaving their businesses open to attacks.
|~|Kevin-Isaac-BODY.jpg|~|The most common motivation for launching an attack is to gain access to information, according to Symantec’s Isaac.|~|E-hijacking is a real and growing threat to businesses. Some of the biggest financial institutions in the Middle East have fallen prey to e-terrorists who take over an organisation’s website and hold it to ransom, demanding large sums of money. Some hackers even divert the website to a different site that displays unsuitable content, according to the CIO of a leading regional financial institution, which has suffered this type of attack. This is not the only type of threat facing enterprises and financial institutions that provide e-commerce facilities. E-terrorism takes many forms and can have a devastating effect on businesses.
In all computer-dependent nations, organisations need to be concerned about potentially ruinous cyber attacks, and the Gulf States are no exception. According to a paper recently published by Cisco Systems, “The corporations most vulnerable to cyber attacks are those that are heavily involved in, and derive the majority of their revenues from electronic commerce or dot-coms.”
As an organisation’s dependency on computers and network communication increases, it is only logical its vulnerability to information security threats grows too. These threats can originate from many different sources, including organised criminals, industrial spies, disgruntled employees and amateur hackers, who all have different motivation for launching an attack. Hackers seek to deny services, often with the aim of extorting money from their victims, but the most common impetus is to gain access to information, according to Kevin Isaac, regional director for Symantec in the Middle East and Africa.
“Malicious code created to expose confidential information represented 54% of the top 50 malicious code samples at the end of 2004, up from 44% in the first six months of the year,” he states, adding the total number of internet threats per capita in the Middle East has increased by 4% over the last six months.
While e-commerce is still in its infancy in the Middle East when compared to the US or Western Europe, its adoption is beginning to grow apace. Etisalat’s eCompany recently announced the volume of e-payment transactions rose by 138 % during the 1Q05 compared to the same period last year.
The increase is attributed to a 41 % growth in credit card-based payment services and the recently launched real-time bill query and payment service, eZeePay. “The strong growth in e-payment transactions reflects the growing need for viable and secure e-payment technologies in the region. The security and safety of credit card transactions is a critical factor in providing a versatile and convenient real-time bill payment solution for consumers,” says Ahmad Abdulkarim Julfar, general manager of eCompany.
A joint research by global analyst IDC and security vendor Symantec found that between July and December 2004, the Microsoft SQL resolution service stack buffer overflow was the top attack detected by sensors based in the financial services industry. This attack is commonly associated with the Slammer worm. However, other malicious code, including some versions of Gaobot and Spybot, also use this attack to compromise computer systems.
“Five of the top attacks against financial services organisations use http as an attack vector. Known as web application attacks, they target applications or services that are conducted on or through http. These attacks are worrisome because they allow hackers to circumvent perimeter security measures such as firewalls. They may also provide attackers with good access to an organisation’s confidential information,” Isaac explains.
Other verticals were also affected in much the same way. The study shows the government, manufacturing and retail sectors have fallen prey to the Slammer worm, and have been targeted by malicious code such as spyware.
Http attacks are also a major concern for all fields, especially the telecom industry, where it accounted for seven out of the top ten incidents. “It is the risk you take. We cannot afford to not be online — it is the only way to remain competitive. However, it is a major risk as we are exposing ourselves to attack,” says Fawaz Bassim, technology and product development manager for Wataniya Telecom.
As viruses and malicious code attacks grow in number so does the cost incurred by companies, governments and private individuals to clean up systems and restore them to working order — this includes the cost to eliminate and repair the damage done by the virus, lost revenue and the impact of downtime and on worker productivity. However, these costs are not the only problem faced by organisations in the event of a security breach. For many, the public embarrassment that such an event may involve can be devastating.
“To be seen to fall victim to hacking or virus attack demonstrates to a company’s customers the organisation is not protecting itself well enough and does not have effective security in place. It highlights the business’ information could be easily exposed. For banks in particular, where the entire business is based on trust, this could be devastating,” says Youssef Laban, CIO of Banque Saudi Fransi.
Causing customers to lose confidence in this way is even more detrimental than the pure technical expenses incurred following an attack. The misfortune of internet auction house, eBay, for example, was well publicised and when its website went down briefly earlier this year the company’s share price dropped sharply.
However, things were slightly different for a Middle Eastern bank, which prefers to remain un-named. Although the bank’s online security was breached in a similar way, the damage was minimal because the incident was not made public.
“If our [situation] had been made public we would have lost more money through the loss of potential customers and the closure of accounts than we would have spent if we had just invested heavily in state-of-the-art, end-to-end security in the first place. We were extremely lucky, but we learnt the hard way that it’s better to make a big outlay to begin with rather than risk losing everything further down the line,” according to the bank’s CIO. ||**|||~|Ahmed-Etman-BODY.jpg|~|Conventional patching is only effective against known threats and is managed on an emergency ‘triage’ basis, which can be disruptive to normal operations, says ISS Middle East’s Etman.|~|Although research conducted by Stonesoft in the Middle East's private and public sectors reveals that a majority of regional organisations have budgeted to enhance their security infrastructures within the next twelve months, many are concerned about the difficulty in integrating and managing their current environment.
“Companies in the Middle East are facing a unique challenge. They are increasingly vulnerable to cyber-crimes and viruses, while at the same time, many industry sectors are facing increased competition and enhanced business opportunities. These companies require solutions that can be implemented without causing much disruption,” says Jari Valvisto, director of Stonesoft in the Middle East, North Africa, and Eastern Europe.
While it will always cost corporations more to defend themselves against these cyber attack strategies than it will cost internet terrorists to mount such disruptions, organisations can never tell what type of attack will be launched and must therefore protect against a wide range of possible scenarios. “Security is indeed a very big challenge, but it is one that must be met. We cannot afford to risk our confidential records and an all-round, multi-layered solution is essential,” affirms Mohamed Shafi, database administrator for GHQ — UAE Armed Forces.
Traditionally, security has been treated as a series of ad hoc projects, rather than a process despite the fact it impacts efficiency across corporate functions. “Conventional patching is only effective against known threats, and is typically managed on an emergency ‘triage’ basis, which can be disruptive to normal operations. Also, the IT infrastructure remains exposed until patching is complete,” says Ahmed Etman, senior territory technical manager for the North and South Gulf at ISS Middle East. In order to buy time to allow for more rational security operations, and to minimise business exposure, a security solution must protect IT assets against both known and unknown threats, he advises.
Enterprises cannot optimise their operations and profits with a conventional, reactive approach to security. However, while enterprises are starting to realise this fact, many businesses still rely on the cycle of patch and panic. “Most financial institutions, and businesses in general, have the attitude that these attacks are something that only happen to other people. They do not begin to establish an effective security infrastructure until after they have suffered a severe breach. But it is not enough to wait until something goes wrong. It is too late by then. Good security needs to be put in place to prevent such attacks and it needs to be maintained [thereafter],” stresses Banque Saudi Fransi’s Laban.
Indeed, a security platform that provides pre-emptive, enterprise-wide protection is clearly needed if enterprises are to not only assure business continuity and regulatory compliance, but also meet an array of other critical obligations such as reducing the exploding cost of security, eliminating emergency patching and improving communications and co-ordination among key departments including network, systems and security administrations.
“Enterprise security must map directly to operational processes already in use. Such process integration is key in leveraging the security infrastructure to optimise corporate security posture, reduce cost and support business objectives,” explains Etman.
Threats exist within the network vector as well as within the application vector; hence enterprise security demands a multi-layered approach, incorporating a range of security technologies such as IPS, anti-virus and vulnerability assessment to address all types of threats.
To be effective, this approach must cover all infrastructure points, including networks, servers, desktops, remote offices and mobile devices. “With constantly evolving threats, security must be continuously refined and updated. It has to be integrated and operationally efficient. Manual threat response, information sharing and reporting is complex, time-consuming and ineffective. Automation allows centralised command and control, and a higher degree of visibility,” says Laban.
Developing a seamless and holistic security infrastructure delivers actionable information and industry analysts and corporate management are calling for security best practices that establish a process for enterprise-wide security. Gartner Research has coined the term ‘vulnerability management’ to describe an automated process that includes four critical steps: establishing and maintaining a security configuration baseline; discovering, prioritising and mitigating exposures; establishing security controls and eliminating root causes of vulnerability.
It is also essential to strike a balance between IT performance, availability and risk. “High levels of security are important, but it is not acceptable if they slow the network down — this is frustrating to users. An incredibly secure infrastructure is useless if it prevents people from doing what they need to do, so an equilibrium must be achieved between security and usability,” Laban adds.
In a successful security environment, continuous vulnerability assessment and threat prevention need to be combined with enterprise-wide information management and reporting. To enable this, the infrastructure must include a number of core capabilities.
Vulnerability mapping is essential to provide a real time picture of when new assets join the network and when new vulnerabilities are discovered, to help establish what is at risk. In addition, intrusion detection systems (IDS) monitor and reactively respond to security events as they occur. While firewalls permit or deny traffic based on source, destination, port or other criteria, they do not analyse traffic for attacks or search existing vulnerabilities.
Critically, they also do not address the internal threat presented by company insiders. “A surprisingly high percentage of attacks are actually launched by employees and while some may be accidental, many — perhaps even the majority — are carried out maliciously by disgruntled employees. This is a danger that businesses certainly need to be more aware of,” says Heini Booysen, software program manager at IDC Middle East and Africa.
Protection prioritisation, based on asset importance and network configuration criteria, can also assist by categorising the most critical areas to protect first. Intrusion prevention technology and remediation, meanwhile, map to existing IT processes for a common enterprise security view and collaboration across IT units, protecting against threats and addressing policy exemptions.
Finally, an element of customisable reporting options show incremental progress in risk reduction and business-based reports provide the detail necessary to pass audits and maintain compliance standards. “Players in the Middle East financial sector are gearing up for regulatory compliance through investments in their IT infrastructure,” says Adel Helal, senior vice president and head of the IT division at Union National Bank, commenting on new regulations such as Basel II and Sarbanes-Oxley, which require more transparency of financial institutions and entail stringent regulations dictating archival policies.
“The region’s central banks are expected to impose these requirements in light of World Trade Organisation agreements, and in order to drive greater competition and thus ensure higher quality services in the industry. At this juncture, having a well designed solution is integral to a financial institution’s business in order to achieve compliance while increasing efficiency, customer service and long term return-on-investment,” he continues.||**|||~|Julfar-GM-eCom-BODY.jpg|~|The security and safety of credit card transactions is a critical factor in providing a versatile and convenient bill payment solution for consumers, says eCompany’s Julfar.|~|As Helal implies, there are numerous strategic business advantages that a comprehensive and effective security infrastructure can bestow. For security administrators, the pre-emptive approach gives them the ability to provide a higher level of security and a correspondingly lower level of risk, while maintaining financial and staff resources at a fixed level.
When e-security is successfully addressed, there will be fewer helpdesk calls associated with breaches and less time will be spent rebuilding systems. Instead, the team can concentrate on system refinement for business critical systems and the deployment of new business services.
“In short, they can better protect the company: The security team is free to concentrate on the next level of threat or vulnerability rather than being involved in the progression, diagnosis and elimination of an attack,” enthuses ISS’ Etman, continuing, “Companies shielded against catastrophic attacks not only avoid downtime and lost business, but are also relieved of many of the overhead burdens associated with security uncertainty – emergency patching is virtually eliminated and security management is more streamlined and economical.”
However, can enterprises ever be truly protected? In 2004, Symantec documented more than 1,403 new vulnerabilities, which translates into more than 54 new vulnerabilities per week or almost eight new vulnerabilities per day. Of these, 97% were considered moderately or highly severe, which means that successful exploitation of the vulnerability could result in a partial or complete compromise of the targeted system.
Furthermore, 70% were considered easy to exploit, meaning that either no custom code is required to exploit the vulnerability or that such code is publicly available. Compounding this problem is that nearly 80% of all documented vulnerabilities in this reporting period are remotely exploitable, which increases the number of possible attackers.
In addition, it is web application vulnerabilities and phishing attacks that continue to pose serious and growing threats, according to Symantec’s Isaac. “Web applications are popular targets because they enjoy widespread deployment and can allow attackers to circumvent traditional security measures such as firewalls. Nearly 48% of all vulnerabilities documented between July and December 2004 were web application vulnerabilities,” he notes.
This does not engender confidence from CIOs. The fact that in one year, from May 2003 to May 2004, the losses incurred by US banks and credit card issuers resulting from phishing frauds were estimated by the IDC/Symantec threat report to be US$1.2 billion, also does little to boost confidence.
IDC’s prediction for the future is just as grim: “The use of bots and bot networks for financial gain will likely increase, especially as the diverse means of acquiring new bots and developing bot networks become more prevalent,” Booysen warns, adding that malicious codes targeting mobile devices are also expected to increase in number and severity. “With many groups researching vulnerabilities in bluetooth-enabled devices, the possibility of a worm or some other type of malicious code propagating by exploiting these vulnerabilities increases,” he says.
Symantec also expects further security problems lurk just around the corner, with client-side attacks using worms and viruses as propagation methods set to become more common and risks associated with adware and spyware likely to increase.
Isaac does not believe impending legislation to curb these risks will be an effective or sufficient deterrent on its own. He also suggests that attacks hidden in the embedded content of audio and video images will increase. “This is worrisome because image files are ubiquitous, almost universally trusted and an integral part of modern day computing,” he says.
The very nature of the internet means that hackers and virus writers are, and will remain, capable of creating disruption via ever more creative and disruptive schemes. The anonymity and autonomy lent by the worldwide web means that these terrorists all too often get away with their crimes at the expense of legitimate businesses and their innocent customers. All online enterprises can do is try to stay one step ahead by ensuring their systems always meet with best practice recommendations and are kept completely up-to-date.
As Laban says, “A bank would never leave its safe unlocked. It is always protected with locks, bolts, access codes, alarms…and it is always watched over by security guards. This is just common sense. No one should be able to gain entry unless they are authorised. Neglecting e-security is same as leaving the bank vault unlocked, with the door standing open, and a ‘welcome’ mat outside. It would never happen in real life, and it should never happen online.”||**||