By Karen Hart
Emirates Business 24/7
December 23, 2007
With no major worm outbreak in the past two years, CIOs are feeling much
safer now. That should be good news but complacency may be setting in
without big attacks grabbing headlines.
CIOs top priorities are improving business processes, controlling costs
and retaining customers. Security fell out of the top 10 priorities,
said Gartner security analyst John Pescatore. One of the problems, he
said, is that enterprises are not thinking about security for new
threats. Firms may have old threats covered, but it is the new scenarios
that carry the big bang.
New products and new technology are creating new holes to exploit.
Businesses have not done the threat modelling, said Pescatore.
The software powering mobile phones, for one, is getting less
heterogeneous by the minute as Windows Mobile gains market share. That
means the list of potential victims is growing. In addition, people tend
to trust files sent via text messaging.
Researchers at McAfee Avert Labs concur. They expect an increase in web
dangers and threats targeting Microsofts Windows Vista operating system,
among other new or increased threats.
Threats are moving to the web and newer technologies such as VoIP [voice
over internet protocol] and instant messaging, said Patrick Hayati,
regional director, McAfee Middle East.
Professional and organised criminals continue to drive a lot of the
malicious activity. As they become increasingly sophisticated, it is
more important than ever to be aware and secure when traversing the web.
Then there is the ever-present internet espionage currently being used
by over 100 countries, which is becoming more of a trend by the day,
according to a McAfee report. The study finds that the number of
cyber-espionage incidents and computer attacks on critical national
infrastructure are rapidly increasing around the world.
This is the rough consensus of the security experts we have spoken to,
and a credible figure given how low the barriers to entry are. All you
need is a few computer science graduates, said Ian Brown, lead
researcher for McAfee and a security expert at Oxford University.
This year saw a record number of incidents in which countries reported
an attempt to infiltrate their information defence systems or an attack
aimed at disrupting key organisations such as air-traffic control,
financial services or utility companies.
One of the highest-profile incidents was in April, when Estonian
officials accused Russia of mounting a series of cyber-attacks that
brought down the websites and information technology networks of state
institutions such as the presidents office, ministries, parliament and
the police, as well as political parties. The press and banks were also
Earlier this year, Dubai eGovernment said one of their platforms was
attacked by hackers attempting to corrupt data and damage websites. No
financial or personal information was accessed or damaged, it said.
Salem Al Shair, eServices Director, Dubai eGovernment, explained: We
have two platforms. The eHost and the eHost Plus. While eHost Plus is
highly developed and hosts very sensitive sites, eHost is less developed
and hosts limited data sites.
The hacking incident happened in the eHost, the first time it was
penetrated. eHost Plus has never been, and hopefully never will be,
penetrated. We have had hundreds of attempts to penetrate eHost Plus but
so far no one has been successful.
Even though Dubai eGovernment had Dh55 million of transactions online
last year, there is no rewarding information on either platform, Al
Shair said. A hacker cannot get any financial gain. We do not keep any
credit card or bank information. Financial matters, which a lot of
people are worried about, are very well protected and will not be
Personal information is just in the range of name, age and date of
birth. The only thing that we worry about is that someone comes in and
damages some of the files. It takes substantial effort to bring them all
But even obtaining personal information can pose a huge personal
security risk, said John Paul Moralde, ENSB Operations Engineer at
Corrupt individuals can use this information against their victim by
pretending to be the victim. Having a victims personal information can
leverage the culprits malicious intent by consistently using this
information to personally harass the victim, he said, adding that
computer-related laws in the UAE are not very well implemented.
IT systems in the Middle East are not that mature but a lot of efforts
are being made to address this problem, Moralde said.
The Middle East is now placed second in worldwide IT security services
spending with the Americas region topping the list according to a recent
report from market analyst IDC. The company said in its latest report on
the region that expenditure on security appliances and software grew by
60 per cent in 2006, with the market forecast to grow at an average rate
of 23 per cent each year through to 2011.
Growth in the financial sector, and an increasingly sophisticated
enterprise sector are driving demand, according to the report. Security
expenditure is focused on perimeter defence, with threat management
solutions making up 56.4 per cent of 2006 total spend, marking a growth
of 61.2 per cent year-on-year.
Spending on secure content management is also high, taking up 24 per
cent of expenditure, and security and vulnerability management rank as
third-highest expenditure with 11.4 per cent.
The biggest spenders on security solutions are government, which
accounts for 26.9 per cent, followed by telecommunications and finance,
with 22.6 and 21.2 per cent share, respectively.
Saudi Arabia makes up the bulk of spending, accounting for 41 per cent
of the market, with the UAE second with 31.2 per cent. IDC predicts that
all GCC markets will continue to show double-digit security spending
growth in 2007, with Saudi Arabia expected to grow by 45 per cent, the
UAE by 36.6 per cent and Bahrain, Kuwait, Oman and Qatar as a whole by
27.2 per cent.
The IT security market benefits heavily from investments in basic
infrastructure by companies across the region, which inevitably includes
threat management and secure content management technologies, said Vinay
Nair, senior analyst at IDC MEA. A large number of firms are making
increasingly sophisticated investments in information leakage detection
and prevention technology.
Unlike many states in the US, there is no legal requirement in most
parts of the world to disclose data breaches to the public. Moreover,
there is no centralised organisation to which businesses can report
computer crime, a factor businesses claim is very frustrating.
There is no specialised authority to report e-crime other than the local
police station and they have little understanding of it. It is a major
problem, said David Roberts, Chief Executive of Corporate IT Forum,
which represents computer users in about half of the FTSE 100 companies.
According to Dubai eGovernments Al Shair, Dubai has a dedicated police
unit called the e-crime division. Im sure they operate with the
collaboration of Interpol and other anti-crime agencies in the world.
Asked if e-culprits can be convicted in Dubai, he said: There is a local
law issued by the government on e-crimes. But to be frank, I havent gone
through the whole thing. Al Shair added that Dubai is not an exception
to the rise in e-crimes. This problem is not limited to Dubai. Criminals
are using technology to commit crimes in organisations around the world,
he said, citing the CIA and Pentagon as examples.
According to US-CERT, there were 5,000 cases of e-crimes reported in the
US in 2005, which rose to 23,000 in 2006 and in the first quarter of
2007 alone 19,000 incidents have been reported.
The US Government has spent $64 billion (Dh234bn) on information
technology systems, out of which eight per cent has gone to security.
The UK Government spends 11 per cent of IT expenditure on security.
Still, 62 per cent of their businesses have been hacked one way or
another, Al Shair said.
The issue of being hacked is not a taboo. It is the same old fight
between good and evil. However, we have to understand this is long war.
When you improve your security, the hackers do the same.
Visit InfoSec News