Microsoft's chief security engineer says that the vast majority of attacks are easily prevented using simple steps
The GCC remains a lucrative target for cybercriminals, particularly those using “botnets” which allow hackers to remotely take control of devices, often without the knowledge of the device’s owner, according to Microsoft.
In its latest security intelligence report, the GCC makes up nearly 11.4 percent of the Middle East’s total bot population, with the Saudi capital of Riyadh itself accounting for 43.1 percent of bots in the region.
According to the data, Dubai was ranked as the second most bot-infected city in the GCC, with 24.7 percent of bots.
Statistics show that while increased awareness and investment in cybersecurity saw attacks decline in the first half of 2018, cyber criminals still managed to steal close to AED 4 billion from victims in 2017.
Speaking to Arabian Business in Dubai, David Weston, Microsoft’s principal security engineering manager, noted that while security is improving and the number of cybercriminals is believed to be decreasing, they are becoming increasingly sophisticated.
“The actual number of attacks we are seeing is dropping linearly, year on year we are seeing less and less,” he said.
“You can see that in the price of a weaponised exploit [used by hackers], which has skyrocketed, to hundreds of thousands or millions of dollars. That’s representative of the scarce supply of people who can turn a vulnerability into something that would work [for a hack].”
Weston added that, in the case of Windows, “the protections we are putting into the platform represent a whole different level of skill.”
“When I started in security, you could probably learn to write an exploit within a weekend…now we’re talking months or years of investment to even implement that,” he said. “That limits the amount of people who can do it….but my assumption is that the attack community as a whole though is that it’s better than it’s ever been.”
Weston added that the most common cyber threats, however, are not from highly sophisticated attackers, but through relatively simple attacks accomplished through social engineering – such as sending a phishing e-mail with a malicious attachment – or through poorly secured cloud apps.
“The vast majority of attacks are easily prevented, one way or another. There are practical solutions. Phishing and social engineering are massive attack vectors,” he said. “There are many things, including user education. Other things we see are running out of date software, that’s a big gotcha.”