Middle East Cyber Security Threat Report published in Cyber Security for Energy and Utilities Conference. 23 - 26 March 2014 - The Westin Abu Dhabi Golf Resort & Spa, Abu Dhabi, United Arab Emirates
Cyber Security for Energy & Utilities Special Editorial Edition
1. Middle East Cyber Security
Threat Report 2014
Cyber Special EDITORIAL Edition
Special insights from: Mohamed N. El-Guindy, Information Systems Security Association,
Egypt Chapter, Founder and President
2. Middle East Cyber Security Threat Report 2014
Since my last cybercrime
research in 2008 [1],
cyber security threats
have grown and
matured. Subsequently,
cybercriminals and even
terrorists have become
capable of carrying out
sophisticated cyberattacks. In this context, cybercrime continues to
grow rapidly in the Middle East and takes new
paths every day. In contrast, governments in the
region are losing millions of dollars annually [2]. As
long as governments will be dependable on new
technologies and deal with security as a “nice to
have”, their ICT infrastructure will be vulnerable to
more sophisticated cyber-attacks. Not only ICT,
the region witnesses new era of terrorism in which
terrorists exploit the 21st century technologies to
carry out terrorist attacks; therefore, I suggest that
the situation will continue to worsen in 2014.
Politically and religiously motivated attacks
Our region is volatile and instable due to political,
economic and social problems. These issues will
increase motivated attacks carried out by groups
of “Hacktivists” that penetrate or target systems or
users for political or religious cause. The majority
of cyber-attacks in the region are the work of
Hacktivists with a message they want to spread.
The so called “Arab Spring” increased these types
of attacks and current chaos in the region will
escalate conflicts and increase the politically and
religiously motivated attacks. Obvious examples
are the bloody conflicts in Syria, looming tension
between Saudi Arabia and Iran, and the Arab-Israeli
conflict.
Study revealed [3] that Syrian Electronic Army,
the pro-regime group, used social engineering
techniques and malware attacks to target users
and NGOs in Syria and other countries. What the
study didn’t mention is that other anti-Assad groups
[4] are also hacking websites and targeting users
on the internet. A group called “Lewa’ Al-Sham”
or “Levant Brigade” announced that it hacked TV
channels websites [5] that support Assad’s regime.
Religion is big player in emerging cyber-attacks,
especially website defacement.
Due to change in US policy towards Iran and Saudi
Arabia, the Saudi-Iranian tension [6] will increase
and will affect Middle East geo-politics; therefore
related politically and religiously motivated attacks
will grow and will become destructive, especially
when carried out by professional hackers.
Most cyber-attacks that originate from within
Middle East and target Middle East ICT
infrastructure are DDoS attacks [7] and website
defacement [8]. But other sophisticated cyber-
M ID D L E E AST C Y BE R S E C U R IT Y T H R E AT REPORT 2 01 4
3. 1010101010101010101010101
01010101010101010101010
1010101010101
Boo
k an
p
9 Fe ay bef d
or
bru
to s ary 2 e
ave
up t014
US$
o
Evolve Evolve and adapt in SCADA, DCS and ICS security
and adapt in SCADA, DCS and ICS security
23 - 26 March 2014
Evolve and adapt in SCADA, DCS and ICS security
The Westin Abu Dhabi Golf Resort & Spa, Abu Dhabi, UAE
23 - 26 March 2014
Don Codling, Former Cyber
Bill Cheswick
Security Unit
Creator of the world’s first StatesChief, FBI,
United
network firewall & Author of
“Firewalls and Internet Security:
Repelling the Wily Hacker”
VIP Keynote speakers:
Bill Cheswick
Creator of the world’s first
network firewall & Author of
“Firewalls and Internet Security:
Repelling the Wily Hacker”
Dr. Jamal Mohamed Al Hosani
Official Spokesman & Director
ICT, National Emergency Crisis
VIP Keynote speakers:
& Disaster Management
Authority, UAE
Lt. Col. Faisal Mohamed Al
Shamari, Chief Information
Security Officer, Abu Dhabi
Police GHQ, UAE
Exclusive presentations from:
Dr. Jamal Mohamed Al Hosani
Official Spokesman & Director
ICT, National Emergency Crisis
& Disaster Management
Authority, UAE
Mohamed Al Sawafi, Head of IT Services, GASCO, UAE
Reimer Brouwer, Head of IT Security, ADCO, UAE
Mohammed Ikrami, IT Security Officer, Fertil, UAE
Andrey Zolotavin, Senior Real Time Systems Engineer, KOC, Kuwait
Habeebu Rehman, Sr. Supervisor IT Security, Petrorabigh, Saudi Arabia
Abdullah Al-Akhawand, Sr. IT Engineer, KGOC, Kuwait
Moazzem Hossain, Operations Planning and Studies Department Manager, ADDC, UAE
Mahmoud Yassin, Lead Systems and Security Data Center Group, NBAD, UAE,
Ali Rebaei, World’s Top 51 Big Data Influencer, Expert and Consultant, UAE
Gilles Loridon, CEO, Global Security Networks, UAE
!
“Free golf training session
The Westin Abu Dhabi Golf Resort ^ Spa, Abu Dhabi, UAE
for the first 30 registered
attendees!”
Celebrity speakers:
23 - 26 March 2014
The Westin Abu Dhabi Golf Resort & Spa, Abu Dhabi, UAE
Celebrity speakers:
650
Benefits of attending:
Benefits of atten
Don Codling, Former Cyber
Identify emerging cyber threats and evolving landscape in the energy and utilities industries
Security Unit Chief, FBI,
Identify emerging cyber thr
Understand the need to protect critical infrastructure and its impact on energy economics
Determine bestUnited States
security practices for ICS/SCADA systems
Understand the need to pro
Learn to protect real time systems from cyber attacks
Know how to protect cloud computing networks
Determine best security pra
Tackle backdoor interface vulnerabilities in SCADA systems
Understand cyber defence strategies and their subsequent implementationLearn to protect real time s
Interact and network with industry experts from leading national and international oil
Know how to protect cloud
companies, IT security solution providers, as well as banks, power and telecom companies
Tackle backdoor interface v
Associate sponsors:
Exhibitor:
Understand cyber defence
Interact and network with i
Lt. Col. Faisal Mohamed Al
Supported by:
companies, IT security solu
Shamari, Chief Information
Security Officer, Abu Dhabi
Police GHQ, UAE
Associate sponsors:
Media partners:
Researched and
developed by:
Exclusive presentations from:
And many more…
Mohamed Al Sawafi, Head of IT Services, GASCO, UAETel: +971 4 364 2975 Fax: +971 4 363 1938
For more information or to register Reimer Brouwer, Head of IT Security, ADCO, UAE
Email: enquiry@iqpc.ae www.cybersecurityme.com
Mohammed Ikrami,For moreOfficer, Fertil, UAE to register - Tel +971 4 363 1938
IT Security information or
Andrey Zolotavin, Senior Real Time Systems Engineer, KOC, Kuwait
Email: enquiry@iqpc.ae www.cybersecurityme.com
Habeebu Rehman, Sr. Supervisor IT Security, Petrorabigh, Saudi Arabia
Abdullah Al-Akhawand, Sr. IT Engineer, KGOC, Kuwait
Moazzem Hossain, Operations Planning and Studies Department Manager, ADDC, UAE
MIDDLE EAS T CYB ER S ECU RIT Y T HREAT REPORT 20 14
Mahmoud Yassin, Lead Systems and Security Data Center Group, NBAD, UAE,
Ali Rebaei, World’s Top 51 Big Data Influencer, Expert and Consultant, UAE
Gilles Loridon, CEO, Global Security Networks, UAE
4. attacks started to appear in 2012 such as Saudi
Aramco [9] and RasGas [10] attacks. What will
make things worse is the Iranian nuclear project
which still at early stages to develop real nuclear
threat. But other players in Middle East especially
Saudi Arabia see this as a real threat and will
outsource real warheads and “ready-made” nuclear
technology from Pakistan [11]. This arm race is
dangerous in this unstable region and the fear is
growing when one can think of Stuxnet-like [12]
attacks that may target this off the shelf nuclear
technologies which might result in Middle East
Fukushima [13].
The Arab-Israeli conflict is another motive for
cyber-attacks in the region. Many online groups are
organizing cyber campaigns to attack Israeli [14]
websites and reveal financial information. On the
other side, Israeli groups are also conducting cyberattacks against Arabic websites [15]. Although
most of the Arab attacks are not state-sponsored
and can be categorized as propaganda, Israeli
policymakers see this as real threat and consider
it “Cyber terrorism” [16] which requires offensive
reactions and even military attacks. They also
established state-sponsored units [17] to wage
Cyberwar with sophisticated capabilities [18].
The chaos in Middle East will also escalate the
growing conflicts of Jihad for the Caliphate.
Al-Qaeda and its inspired groups will continue
to conduct bombing and killing across the
region and other form of Jihad is exploiting the
new technologies to cause harm. I will publish
a dedicated research soon to investigate this
phenomenon in the Middle East.
Other dangerous trend we may witness soon
in our region is a “Hacker for Hire”. Professional
hackers and cyber mercenaries [19] can be hired by
governments [20] or private sectors from outside
the region to conduct sophisticated cyber-attacks,
no matter what the motive is, political [21], religious
or financial.
Financial Attacks
When it comes to cyber-attacks for financial gain,
Middle East is a fruitful target for cybercriminals
because of low level awareness of users, lack
of technical and legislative capabilities and the
availability of liquid money. Banks in the region
are the biggest losers when it comes to financial
cyber-attacks as criminals go where the money
is. In 2013, a group of cybercriminals stole over
$45 million [22] from two banks in the Middle
East, Bank of Muscat in Oman and National Bank
of Ras Al Khaimah “RAK Bank” in the UAE. Cyber
gang hacking into a database of prepaid credit
cards belonging to the banks, and then using
fake cards to withdraw money from ATMs in 27
countries. The cards database was held by Indian
payment processors that got hacked by the cyber
gang. Banks and payment processors admitted
the attack but that what revealed. There are other
attacks that occurred around the clock in the region
but no revelation. Some financial institutions may
fear losing customers if they reveal that they got
hacked. Lack of transparency makes the situation
worse as users must know that their accounts
are affected and should know how banks will
recover and how they will deal with future attacks.
It’s important for customers to understand that
banks have the responsibility of protecting both
their own data and customer’s data. If banks
M ID D L E E AST C Y BE R S E C U R IT Y T H R E AT REPORT 2 01 4
5. 1010101010101010101010101
01010101010101010101010
1010101010101
are not responsible, so what will be the point of
having security policies at enterprise level? Having
security policy is one thing; however, enforcing
these policies is another. Enforcing and building out
polices is a whole educational awareness process
that needs to be addressed effectively.
This is maybe the reason most banks and financial
institutions in the Middle East do not have strict
policies when dealing with electronic payments.
The following issues could be easily spotted in
many banks in the region:
r Payment card statements with full details sent
via postal mail
r Customers allowed to put large sum on not
carefully monitored cards
r Bank websites have web application
vulnerabilities such as non-secured login boxes
r Emailing security-sensitive information
insecurely to customers
r Absent or poor security awareness training and
education for employees
r Poor security policies and absence of training for
merchants
r Loopholes for compliance are available due to
corruption (Financial institutions and or
merchants can get PCI-DSS, ISO27002 etc.
without applying the required guidelines)
r ATMs are not carefully protected and might be
placed at unsafe environment
r Outsourcing services that are related to sensitive
or critical information without paying much
attention to the security policies and reputation
of the outsourcing partner.
r Mobile payments are being implemented with
the same weakness related to payment cards.
Attackers will not only target large bank banks and
financial institutions, they will also target small
entities that deal with money such as merchants
and POS operators due to their lack of security. The
increase of Middle East online consumer habits
with the growth of mobile payment platforms will
increase risks for payment processors, banks and
merchants. Due to the increase of mobile internet
in Middle East [23] and the growth of e-commerce
sales that reached $27 billion in 2013 [24], the
region will be big target for cybercriminals. Not
only cyber gangs who are interested in Middle East
financial data, foreign intelligence agencies are also
big players with their state-sponsored attacks [25].
One of the most important reasons that will
make the region vulnerable to more sophisticated
financial cyber-attacks is the regulation frameworks
as hackers and cyber gangs are looking for places
with poor or absent regulation to commit their
crimes. Cyber regulations are poor in Middle
East [26] and even lack the correct definition of
cybercrime. Indeed, there are laws dedicated to
cybercrime in the region and also cyber-related
laws but governments need to update them so
often to reflect the rapid change of such hi-tech
crimes and should be harmonized with the path of
the rest of the world. But due to the political issues,
most cyber laws are drafted to suppress freedom
of speech and do not address the real threat of
cybercrime. In addition, policymakers are dealing
with cyber regulation from old perspective in which
crimes committed within specific location. This is
completely wrong when dealing with cyberspace
as it’s not location dependent. So when they deal
with cybercrime law, they have to go beyond their
countries as the crime itself is transnational.
MIDDLE EAS T CYB ER S ECU RIT Y T HREAT REPORT 20 14
6. As long as governments in the region will not
address these issues, financial cyber-attacks will
increase in 2014 and I expect that we will see more
sophisticated attacks that will target financial
institution in the region.
Future Threats: Everything will be hackable
I published research paper in 2011 investigating
the 21st threats and Middle East dilemma [27]. I
expected that the situation will be worse in future
because both governments and users lack future
strategies and are looking always to access
advanced technologies with consumer mindset.
Since this the norm in our region, there will be no
progress when it comes to future technologies.
Everything will be connected to the Internet to
form the new era of “Internet of Things” [28] and
we will strive to protect devices that embedded
in our homes, offices, cities and even our bodies.
This situation might not appear in 2014 but
things are moving faster in 21st century and we
might see sophisticated attacks target connected
devices that will cause panic [29]. This complex
and connected world created the Big Data that will
result in big benefits and big threats as well [30].
Additional cyber threat that will affect Middle East
is cyber-espionage or spying that sparked debate
in 2013 with the revelations of NSA surveillance.
I expect that cyber-spying activities by western
intelligence agencies will continue to grow in 2014
due to political situations, instability, chaos and
terrorism. I argue that other players will enter the
espionage game in the region. China, with its large
numbers of connected electronic devices being
used in the Middle East will be one of the biggest
players when it comes to cyber espionage.
As Middle East center of gravity is shifting from
Saudi Arabia to Persian Gulf [31], Iran as a regional
superpower and second to Israel, will enter the
cyber-espionage game. Consequently, we will
witness more dangerous cyber-attacks and cyber
threats to originate from Iran and will be carried out
by its state-sponsored cyber army [32]. Although
Iran’s cyber capabilities couldn’t be compared to US
and Israel and even not destructive against them,
it might be destructive if used against “vulnerable”
[33] Middle East countries. In addition to cyberattacks, Iran has also access to advanced warfare
technologies such as drones that will be used in
future attacks as ultimate asymmetric weapons.
Middle East states need to understand that off
the shelf technologies will not solve any security
issue but it might make things worse. They need
to address their internal issues and invest in their
human capital to adapt with the 21st century or the
consequences will be more dangerous in the years
ahead.
Source:
Mohamed N. El-Guindy
Information Systems Security Association, Egypt
Chapter, Founder and President
http://netsafe.me/
December 25, 2013
M ID D L E E AST C Y BE R S E C U R IT Y T H R E AT REPORT 2 01 4