By Maddy Reddy
When tested, many government and corporate networks in the Middle East are found to contain trojans and backdoors left by hackers. Such intrusions have the potential to embarrass, raise question marks about security and often result in financial loss for the organisation concerned. An increasing number of IT professionals in the region are turning to ethical hacking in an effort to identify and block gaps in their defences and give them peace of mind.
|~|Alkhadi1.jpg|~|Bank’s must take extra care to guard against malicious hacks, says Khaldoun Alkhadi.|~|Few CEO’s and IT managers like to talk about it, but organisations in the Middle East are targeted by hackers. A number of these attacks bear fruit, with security experts in the region reporting that when they test networks, many that had been presumed secure are found to be rife with trojans and backdoors left behind by unwelcome visitors.
Security vendors agree that attacks on Middle East organisations represent around 1% of worldwide hacks. While not prolific, high profile hacks that cost corporations dearly in terms of finance and prestige are not uncommon.
One of the most damaging of these occurred three years ago when British hacker and UAE resident Lee Ashurst hacked into internet service provider (ISP), EIM, causing it to crash repeatedly over a period of two months. Ashurst was caught and convicted under a law designed to prevent interference with telecoms equipment, but the incident embarrassed the ISP and highlighted a dearth of dedicated legislation that could be used to prosecute hackers.
Ashurst’s capture was far from the norm as hackers are notoriously hard to trace. A hacker known only as Herbless has never been brought to justice for interfering with the web site of the British Arab Commercial Bank (BACB) in 2000.
In a security breach that was designed to do nothing more than embarrass, Herbless pasted an image of British premier Tony Blair on the site with a speech bubble saying: “Listen to Herbless, he talks sense”. While nothing was stolen, the hack did nothing for the credibility of the bank as questions were raised about its security policy implementation.
Arab banks and government institutions are the main target of hackers from abroad. Often, targets never even know they have been hacked until a set of security tests have been done.
“There are a number of situations where we have done a penetration test or a security audit and found that systems have been broken into previously. We find backdoors and trojans that have been placed. It does happen, when companies connect to the internet they are no longer in the Middle East, they are a potential target for anybody,” says David Michaux, CEO of Scanit, a Dubai-based penetration and vulnerability testing operation.
In addition, the incidence of companies carrying out deliberate security breaches of their competitors’ networks is becoming more commonplace as competition in the Middle East increases. “A lot of companies are using hacking as a means of commercial enterprise, it is a very big business. If individuals can steal a customer database they can use it to start up a rival company and target the same customers,” says Michaux.
Such attacks can hit any company’s operation hard, and especially those of financial institutions that have third-party liability. Also, in an industry that cannot afford to have its reputation for security tarnished, hacks such as that on the BACB network can cause long-term damage to a reputation, even if there is no direct financial impact.
It is these hazards that hackers pose to the banking sector, combined with the need for banks to increase their online presence, that is driving the financial services sector to invest heavily in measures to counter the risk.
One of the main ways organisations can protect themselves is by ensuring their staff are up to speed with the latest techniques and tools that are utilised by malicious, or black hat hackers. Consequently, there is an increased demand in the Middle East for places on ethical hacking courses that can teach security personnel some of the tricks of the trade.
Most such courses teach students how to penetration test their own networks to reveal server vulnerabilities, application vulnerability and patch errors. They sometimes advise security personnel how internal complications can be avoided by seeking the necessary permissions before a network is scanned and a penetration test is initiated. IT managers embarking on web site ventures are increasingly cautious about the risks and are keen to learn skills taught on white hat hacking courses.
Preparing for its internet banking launch later this year, the National Bank of Sharjah sent network administrator Khaldoun Alkhadi on one of the region’s high end ethical hacking courses. “In the banking field your network has to be up 24 hours a day or you will really have some problems,” says Alkhadi. “There is not a huge amount of hacking from the Middle East but when you go online everybody can reach you. The main point of ethical hacking is to know what vulnerabilities you have and to protect against these vulnerabilities and to patch your systems accordingly,” he explains.
Most ethical hacks, also known as white hat hacks, involve a series of penetration tests, where security is breached but no harm is done and corporate data is not interfered with in any way. The logic behind the process is that once administrators understand how to breach a system, they can deploy counter measures to ensure hackers’ access to a network is blocked. “I now have the knowledge base and understand the counter-measures which I can deploy to scan our systems, update patches and re-structure security. Before we go online we have to ensure that our system is 100% secure,” says Alkhadi.
But as security moves up the corporate agenda, it is not only those organisations that are classified as a prime target for hackers that are taking an interest in ethical hacking. Rather, white hat hacking credentials are increasingly being seen as an essential part of the make-up of any IT security team. It was the desire to implement a 360º security policy the prompted system analyst Yousif Mohammed Redha Kandi, of the Court of the Crown Prince of Bahrain, to attend an ethical hacking organised by security firm TechZone in Dubai recently.
“We have not had any problems [with hacking] but we want to ensure we do everything we can to protect ourselves,” says Kandi. “Anyone who wants to be an expert in the security field these days should attend a course like this, so they at least know their enemy, how they think, what they do and what sort of tools are available to them,” he adds.
||**|||~|Kandi1.jpg|~|Ethical hacking gives useful insights into security, says Yousif Mohammed Redha Kandi.|~|The interest in ethical hacking in the Middle East surprised even TechZone, which had to turn people away from its US$3200, five-day course because it was booked up in a matter of days. “The course was oversubscribed. Security is taking the right position in many organisations, and it is now one of the most critical areas of IT. Companies have to invest heavily because they have realised they stand to lose everything if not properly protected,” says TechZone’s managing partner, Mohammad Haleem.
But the very success of the ethical hacking industry in the Middle East also threatens to be its downfall. Dozens of security companies in the region now offer white hat hacking courses, but the effectiveness of the hacking methods detailed on some of these courses is questionable.
“Unfortunately most of the courses out there teach people how to hack unpatched and unsecured systems. The tools they use are available over the internet for free. But because they can show students a penetration test for the first time, the students think it is amazing. But in reality many of these courses do not represent what hackers are doing,” says Haleem.
Because of these issues, some security experts believe that such courses should be strictly monitored and potential students vetted before information on how to breach systems, and where to access hacking tools, is imparted. Many go a step further and suggest that legislation should be enacted to bring some transparency to an industry that is unregulated and thriving.
“I am not convinced that the number of hacking incidents will be reduced by teaching more people how to hack,” says Abdul Karim Riyaz, director of security business partner operations for Computer Associates Middle East (CA-ME). “I believe ethical hacking should not be taught to any individual with a few dollars to pay for a course because the courses teach people who would not otherwise know where to download the tools and who do not know the easy methods of compromising a company, how to do it,” he adds.Some self-regulation is present among the companies behind the higher end ethical hacking courses.
Companies like Scanit and TechZone go a long way to ensure that their course material is entirely relevant to network security and clients have a legitimate reason to enrol. Also, the hefty price tag of these courses ensures students are usually from a telco, banking or large enterprise background and are likely to remain on the right side of the law.
While white hat hacking courses may assist members of an IT team in penetration testing their own networks, in some instances this is not the best way of assessing security against malicious hackers as an outsourced penetration tester can provide a more balanced view of security. When an organisation implements a new solution from a security vendor they will frequently employ a third party ethical hacker to test systems for vulnerabilities.
Scanit says the demand for these services in the Middle East has increased at such a rate that its business has grown by around 300% per year over the last three years. Furthermore, around 75% of the Belgium-based company’s business now comes from the region, indicating that demand for such services is outstripping supply as security becomes less of a grudge purchase and more of a key concern.
The company’s penetration tests, which cost anything from US$5000 to US$250,000 depending on the number and complexity of systems tested, are initiated upon instruction of senior executives and without the knowledge of the inhouse IT team.
In a business where trust is crucial, Scanit has gone a long way to ensure it can garner the faith of some of the region’s largest banks, airline operators and oil & gas sector clients. Gone are the days when white hat hacking firms would hack a company and then approach it to suggest a vulnerability test and point out network weaknesses. These days all processes are carefully contracted and signed off well before testing begins. The firm is covered for US$25 million per day damages, is Nato cleared and vets its recruits rigorously.
“We never employ former hackers, as they are really difficult to control. We have to find someone with a little bit of a twist, but they have not gone full circle. Normally we recruit from the telecoms sector or people with an ISP background; places where people have come up against a lot of different systems and have a lot of different experience,” says Michaux.
“They know where the problems lie, they know how to exploit them and they know how hackers work. We put them through a number of different processes before we recruit them. Because the company is Nato cleared, we have to be careful who we take on,” he adds.
Michaux argues that third party testing is more effective than testing by a security solutions vendor or an inhouse IT team because the former has another agenda: to sell products, and the latter’s view of their own network is too blinkered. In addition, spotting application vulnerabilities, as opposed to server patch update errors, requires specialist skills.
“Application vulnerability, when the people who wrote the app did not do a good job, is what we focus on. That is where you need the real skill and the good people. This is better done by third party specialists because it is hard for members of an IT department to spot mistakes in their own work,” adds Michaux.
For the moment, external penetration tests are primarily initiated in the Middle East by large enterprises, the oil & gas and financial services sectors. For small-to-medium sized businesses (SMBs) the risks of a debilitating attack are smaller, so companies in this sector are less enthusiastic about spending time and money on penetration tests that may or may not identify all the vulnerabilities in their networks.
With a recent Oracle poll indicating that more than half security threats are posed by current or former employees, some believe monies spent on penetration and vulnerability tests could be better directed elsewhere.
“Before companies embark on ethical hacking, they should find out if money which is being spent in this area could be better utilised in finding out vulnerabilities in their network elsewhere,” argues CA-ME’s Karim Riyaz. “Educating end users about the best security practices in the workplace cannot be underestimated. Companies should make sure their internal security is good before they worry about external threats,” he adds.
Despite this argument, the region’s appetite for ethical hacking continues unabated. In response to this demand, TechZone is increasing the frequency of its ethical hacking courses to every 40 days and adding an advanced ethical hacking course to its catalogue. “There is a demand for two reason. First, companies in the Middle East have realised they have to invest in security because they could stand to lose everything. The other reason is the natural human interest in hacking. People like to be trained on it, there is an internal curiosity about it,” says TechZone’s Haleem.
Meanwhile, several Middle East governments are initiating laws specifically to deal with hackers. Leading this is the UAE, in which a special committee of the Ministry of Justice and Islamic Affairs is revising a draft of an electronic transactions and commerce law (ETCL) that will address crimes such as hacking, stealing credit card numbers, invasion of privacy, copyright violations and online theft. Although delayed — the law was due to be enacted in September last year — it is expected to receive the rubber stamp soon. ||**||