Af­ter a se­ri­ous cy­ber at­tack on the big­gest bank in Qatar, has the fi­nan­cial sec­tor wo­ken up to the risks? Qatar To­day finds out where the pit­falls lie and how they can be filled.

In April last year, a ma­jor cy­ber­at­tack on Qatar's largest lender sent re­ver­ber­a­tions around the globe. A group of un­known hack­ers had claimed to have hacked into the servers of Qatar Na­tional Bank (QNB) and leaked 1.4 GB of data from the data­base con­tain­ing per­sonal data of its cus­tomers. The mas­sive data dump con­tained hundreds of thou­sands of fi­nan­cial records in­clud­ing credit card num­bers and their PIN codes and cus­tomer trans­ac­tion logs. More­over, the hack­ers also claim to have leaked bank­ing de­tails of some mem­bers of the Al Thani fam­ily, Al Jazeera jour­nal­ists, of­fi­cials from the Min­istry of De­fence, the State Se­cu­rity Bu­reau “Mukhabarat” and sev­eral other in­tel­li­gence agen­cies. What was truly fright­en­ing was that it con­tained per­sonal in­for­ma­tion col­lected from sev­eral nonQNB sources like so­cial me­dia, put to­gether with the aim of cre­at­ing a com­plete pro­file of cer­tain cus­tomers. The breach was mas­sive, it was pub­lic and it shocked peo­ple and in­sti­tu­tions into ac­tion. What un­til then was thought of as some­thing that hap­pens to some­one some­where else, had hit home hard.

The Gover­nor of Qatar Cen­tral Bank, HE Sheikh Ab­dulla bin Saoud Al Thani, noted that cy­ber­crime is now con­sid­ered the sec­ond most com­mon eco­nomic crime in the Mid­dle East. Speak­ing at a Dean's Lec­ture at Carnegie Mel­lon Univer­sity in Qatar, he em­pha­sised the im­por­tance of strong cy­ber gov­er­nance, con­tin­u­ous mon­i­tor­ing, step-by-step de­tec­tion and a well-de­signed con­tin­gency plan to mit­i­gate any vul­ner­a­bil­ity on ac­count of cy­ber risks to Qatar's fi­nan­cial sec­tor. “Both at­tack­ers and their mo­ti­va­tions are be­com­ing more di­verse – from fi­nan­cial gains to dis­rupt­ing ac­tiv­ity to caus­ing po­lit­i­cal and fi­nan­cial in­sta­bil­ity,” he re­marked, not­ing that cy­ber­crime in Qatar in­creased by 52% in 2015 over the pre­vi­ous year.

The wake-up call

Se­cu­rity an­a­lysts are un­der­stand­ably on the edge. “Firms are com­ing un­der at­tack daily. It is well known that fi­nan­cial in­sti­tu­tions across the re­gion have pre­vented a num­ber of at­tacks and also that a num­ber of cy­ber­at­tacks have suc­ceeded in pen­e­trat­ing or­gan­i­sa­tional de­fences. How­ever, there is also a per­cep­tion that the re­gion is next in line for a ma­jor/sus­tained cy­ber­at­tack, fol­low­ing large-scale strikes in other parts of the world,” says David Caf­ferty, Risk Con­sult­ing Di­rec­tor at Crowe Hor­wath UAE, and a Mem­ber of the Char­tered In­sti­tute for Se­cu­ri­ties and In­vest­ment (CISI). And ex­as­per­at­ing this chal­lenge is the short­age of highly skilled peo­ple in this field in the re­gion which is also ge­o­graph­i­cally far from ma­jor tech­nol­ogy cen­tres, mak­ing the avail­abil­ity of qual­ity sup­port, im­ple­men­ta­tion ex­per­tise, and the re­li­a­bil­ity of the providers even more im­por­tant, ac­cord­ing to Soubhi Che­bib, Gen­eral Man­ager at GBM Qatar.

Also, con­sumers in the re­gion are dou­bly vul­ner­a­ble to at­tack on fi­nan­cial in­sti­tu­tions be­cause they are some­what less pro­tected than their coun­ter­parts in, say, Europe. “In Europe, a con­sumer is pro­tected by the Euro­pean Union leg­is­la­tion for con­sumer pro­tec­tion, which means that a con­sumer can only be held li­able for a very small amount of dam­age in case of a data breach or theft. Here it is dif­fer­ent and the con­sumer is more or less li­able for any mis­use of elec­tronic ac­counts, or at least the le­gal process is hard and cum­ber­some,” says Ni­co­lai Solling, Chief Tech­ni­cal Of­fi­cer at Help AG. “For the same rea­son, the banks in the Euro­pean Union are very fo­cused on min­imis­ing risks as they hold the li­a­bil­ity. One of the ways this af­fects the way the banks op­er­ate is that in Europe you will not find many banks with­out a proper two-fac­tor authentication so­lu­tion for users, whereas here in the Mid­dle East this is some­thing that has only re­cently been ap­plied by the large por­tion of banks.”

Un­der these cir­cum­stances, it has be­come in­creas­ingly im­por­tant to un­der­stand the driv­ers of these cy­ber risks to help boost poli­cies and strengthen risk gov­er­nance, ac­cord­ing to Caf­ferty. “Re­gional gov­ern­ments are very aware of the threat, and the for­ma­tion of Com­puter Emer­gency Re­sponse Teams (CERT), and the de­vel­op­ment of na­tional strate­gies, is in­dica­tive of that,” he says. This is sub­stan­ti­ated by HE Al Thani who spoke en­cour­ag­ingly about the work the Qatar gov­ern­ment has taken to com­bat cy­ber­crime, in­clud­ing es­tab­lish­ing the Na­tional Cy­ber Se­cu­rity Strat­egy. “Go­ing for­ward, in or­der to ben­e­fit from the re­siliency ef­forts of the fi­nan­cial in­sti­tu­tions, Qatar Cen­tral Bank is pre­par­ing the Qatar Fi­nan­cial Sec­tor In­for­ma­tion Se­cu­rity Strat­egy, which will en­hance and main­tain in­for­ma­tion se­cu­rity and cre­ate a more re­silient and se­cure cy­berspace to safe­guard the fi­nan­cial sec­tor in Qatar,” he said.

As a re­sult of this, there is an in­creas­ing

"QCB is pre­par­ing the Qatar Fi­nan­cial Sec­tor In­for­ma­tion Se­cu­rity Strat­egy, which will en­hance and main­tain in­for­ma­tion se­cu­rity and cre­ate a more re­silient and se­cure cy­berspace to safe­guard the fi­nan­cial sec­tor in Qatar." HIS EXCELLENCY SHEIKH AB­DULLA BIN SAOUD AL THANI Gover­nor Qatar Cen­tral Bank

"The first of its kind in the GCC, Qatar's Law No. 13 of 2016 con­cern­ing Pri­vacy and Pro­tec­tion of Per­sonal Data places new re­stric­tions on how per­sonal data of an in­di­vid­ual is to be pro­cessed." NI­CO­LAI SOLLING Chief Tech­ni­cal Of­fi­cer Help AG

aware­ness of cy­ber­se­cu­rity. Solling says this em­pha­sis on cy­ber­se­cu­rity in Qatar will only in­crease in the com­ing months with Qatar's re­cent pro­mul­ga­tion of Law No. 13 of 2016 con­cern­ing Pri­vacy and Pro­tec­tion of Per­sonal Data. “The first of its kind in the GCC, the law places new re­stric­tions on how per­sonal data of an in­di­vid­ual is to be pro­cessed in ac­cor­dance with prin­ci­ples in­clud­ing those of trans­parency, in­tegrity and re­spect for hu­man dig­nity and ac­cept­able prac­tices,” he says. To com­ply with this, fi­nan­cial in­sti­tu­tions, which han­dle large vol­umes of sen­si­tive per­sonal in­for­ma­tion about their cus­tomers, will no doubt have to re­think their op­er­a­tions and pro­to­cols, if need be, and also con­duct reg­u­lar train­ing of their staff.

But the gov­ern­ment can al­ways do more, as Caf­ferty il­lus­trates. “Gov­ern­ments re­ceive in­for­ma­tion on in­di­vid­ual at­tacks but they could do more to as­sist or­gan­i­sa­tions by shar­ing this in­for­ma­tion and us­ing it to cre­ate threat as­sess­ments, and ty­polo­gies/case stud­ies, for dis­sem­i­na­tion to a wider au­di­ence. But again, there is a cul­tural is­sue around scar­ing peo­ple – per­haps un­nec­es­sar­ily. How­ever, not only should or­gan­i­sa­tions be scared, they need to be scared into tak­ing a more ro­bust, strate­gic and holis­tic ap­proach to cy­ber-risk.”

Che­bib agrees. “IT se­cu­rity is not some­thing that can be im­ple­mented and then for­got­ten; it re­quires con­stant mon­i­tor­ing and pe­ri­odic up­dates that keep it up to date with the lat­est batch of threats and mal­ware on the scene,” he says. “In ad­di­tion to this, IT se­cu­rity should not be taken alone to en­sure the pro­tec­tion of sys­tems; it should be wo­ven into the over­all se­cu­rity strat­egy of or­gan­i­sa­tion. In fact, many or­gan­i­sa­tions have es­tab­lished a des­ig­nated Chief Se­cu­rity Of­fi­cer po­si­tion, thus as­sign­ing the main­te­nance of the over­all se­cu­rity of the com­pany to a sin­gle per­son who re­ports di­rectly to the CEO of the or­gan­i­sa­tion.”

Patch­ing up vul­ner­a­bil­i­ties

Glob­ally, the fi­nan­cial ser­vices in­dus­try is un­der a bar­rage of ran­somware and spearphish­ing at­tacks, ac­cord­ing to a new sur­vey con­ducted by the SANS In­sti­tute, gaug­ing the state of risk and se­cu­rity in the fi­nan­cial sec­tor. For the first time, ran­somware, iden­ti­fied by 55% of re­spon­dents, has eclipsed spearphish­ing (50%) as the top at­tack vec­tor. Such at­tacks have caused con­sid­er­able dam­age, with 32% of sur­vey re­spon­dents cit­ing losses be­tween $100,001 and $500,000 as a re­sult

of their breaches. While the sam­ple size of Mid­dle East-head­quar­tered or­gan­i­sa­tions in the sur­vey is rea­son­ably small, as Che­bib says, “Cy­ber­se­cu­rity has no phys­i­cal bor­ders. Wher­ever you are or the sys­tem is around the world, at­tacks can be mounted from and to any­where. Cer­tainly, cy­ber­at­tacks are po­lit­i­cally mo­ti­vated and we wit­ness this from time to time. Qatar has taken strong mea­sures to em­ploy very so­phis­ti­cat­edly cy­ber­se­cu­rity so­lu­tions and con­tin­ues to up­date this in or­der for the ser­vices to be pro­vided re­li­ably and un­in­ter­rupted.”

While Qatar, to­gether with the UAE and Saudi Ara­bia, leads the IT mar­ket in the GCC, spend alone will not en­sure se­cu­rity. “Cy­ber­se­cu­rity spend­ing now ac­counts for a sig­nif­i­cant por­tion of IT bud­gets in the Mid­dle East. What re­mains un­clear is whether they are suf­fi­ciently equipped to de­fend against these at­tacks,” said Ned Bal­t­agi, Man­ag­ing Di­rec­tor, Mid­dle East & Africa at SANS. Just over half of sur­veyed or­gan­i­sa­tions claim to have felt pre­pared or very pre­pared to fend off at­tacks. “And even this readi­ness will stand to be tested when al­ter­na­tive pay­ment sys­tems come on­line,” he added.

Man­ag­ing hu­man vul­ner­a­bil­i­ties is some­times more of a chal­lenge than the tech­ni­cal as­pects, though it ought to be the eas­i­est and most ef­fec­tive way to com­bat cy­ber-risk. For ex­am­ple, both ran­somware and phish­ing at­tacks (the two largest kinds of cy­ber­at­tacks on fi­nan­cial in­sti­tu­tions) prey on the vul­ner­a­bil­i­ties as­so­ci­ated with users, who of­ten un­wit­tingly click on links that un­leash vi­cious at­tacks on their or­gan­i­sa­tion's as­sets. For that rea­son, or­gan­i­sa­tions are go­ing be­yond tech­niques like em­ploy­ing perime­ter de­fences, end­point pro­tec­tions and log man­age­ment tech­niques to iden­tify, stop and re­me­di­ate threats, and are fo­cus­ing on con­trols such as email mon­i­tor­ing and se­cu­rity aware­ness train­ing to re­duce the po­ten­tial for em­ployee ac­tions that un­leash mal­ware on their de­vices.

But there is still much left to be de­sired in this area. “Or­gan­i­sa­tions are still tak­ing an ‘old school' ap­proach to cy­ber­se­cu­rity with a nar­row fo­cus on ‘IT se­cu­rity' – a sim­ple, easy-to-deal with threat with guid­ance given to mem­bers of staff, such as on the us­age of USBs, unau­tho­rised down­loads, theft of data and small-scale phish­ing,” says Caf­ferty. “The im­pres­sion that staff mem­bers get is that IT mat­ters are very per­sonal lo­calised is­sues, rather than high­light­ing the big­ger risks they may cause to the or­gan­i­sa­tion such as de­nial of ser­vice, theft of cus­tomer data, whal­ing and large-scale ex­tor­tion.”

“Man­age­ment, work­ing un­der Board di­rec­tion, needs to de­velop fo­cused ed­u­ca­tion, train­ing and aware­ness pro­grammes for their or­gan­i­sa­tions. Util­is­ing gov­ern­ment statis­tics and ty­polo­gies, sup­ported by in­ter­nal re­search, man­age­ment should en­sure that all staff are aware of the full range of risks the or­gan­i­sa­tion is ex­posed to and that ed­u­ca­tion pro­grammes are put in place so as to en­sure that cy­ber risk man­age­ment is em­bed­ded in daily ac­tiv­i­ties. Fi­nally, spe­cific/on­go­ing train­ing should be given to key in­di­vid­u­als, and teams, so as to pro­vide the skills and knowl­edge the or­gan­i­sa­tion needs to ef­fec­tively pre­vent, de­tect and re­spond to the cy­ber-threat,” he says.

"IT se­cu­rity should not be taken alone to en­sure the pro­tec­tion of sys­tems; it should be wo­ven into the over­all se­cu­rity strat­egy of or­gan­i­sa­tion." SOUBHI CHE­BIB Ge­naral Man­ager GBM Qatar

From end to end

Thanks to tech­nol­ogy, every­thing is in­ter­linked, such as a busi­ness's core op­er­a­tions with its ven­dors, cus­tomers and sup­ply-chain net­works. As such, fail­ure to un­der­stand and ad­dress the sys­temic cas­cad­ing ef­fects of cy­ber risks could have far-reach­ing con­se­quences across the net­work, ac­cord­ing to Caf­ferty. "Cus­tomer ed­u­ca­tion is more com­mon­place in this re­gion, but again the fear fac­tor gets in the way. Or­gan­i­sa­tions don't want to give cus­tomers the im­pres­sion that they don't have the sys­tems in place to pro­tect them,” he says. Ini­tia­tives like ‘cus­tomer train­ing' may be un­likely due to the lo­gis­tic chal­lenges they pose, says Solling. “Fi­nan­cial in­sti­tu­tions could, how­ever, reg­u­larly share in­for­ma­tion about the lat­est cy­ber-threats and trends. They could also share best prac­tice for on­line se­cu­rity. For ex­am­ple, many cus­tomers re­use weak pass­words across mul­ti­ple In­ter­net ac­counts and even their on­line bank­ing ac­counts. With data breaches of even large so­cial me­dia and other In­ter­net ser­vices now com­mon­place, such be­hav­iour could eas­ily jeop­ar­dize users' se­cu­rity,” he says.

But he also goes on to em­pha­sise that fi­nan­cial in­sti­tu­tions must be wary of the part­ners they work with, par­tic­u­larly those that are SMBs. “Cy­ber-crim­i­nals of­ten use these as gate­ways into the net­works of larger or­ga­ni­za­tions,” he says. "In the UAE we have seen such an at­tack suc­cess­fully car­ried out against RAKBANK. In this par­tic­u­lar case, RAKBANK's busi­ness part­ner in In­dia, which prints their credit cards, had a data breach where in­for­ma­tion on credit card num­bers and CVC codes were lost. This al­lowed at­tack­ers to repli­cate card in­for­ma­tion, which again was used to deduct money from these cards. RAKBANK was re­ported to have been fac­ing dam­ages of ap­prox­i­mately $5 mil­lion (QR18.2 mil­lion) as­so­ci­ated with this. Al­though they were not di­rectly at fault, of course such in­ci­dents have a neg­a­tive brand im­pact,” he points out.

Train­ing part­ners and en­sur­ing that they have the right cy­ber­se­cu­rity mea­sures in place will in­crease the se­cu­rity pos­ture of the fi­nan­cial in­sti­tu­tions them­selves. By tak­ing a broader fo­cus that is aimed at the op­er­a­tions of the busi­ness, its sup­ply­chain net­works and cus­tomers, cy­ber-

risk ed­u­ca­tion to all in­volved par­ties can pro­vide proac­tive strate­gic and more ac­tion­able in­sights into the en­tire con­trol sys­tem of the en­ter­prise.

New chal­lenges of a new era

Even as we are still grap­pling with ex­ist­ing chal­lenges, a new tech­no­log­i­cal era fast ap­proaches. With ad­vances in new tech­nolo­gies – such as the cloud, an­a­lyt­ics, mo­bil­ity, ar­ti­fi­cial in­tel­li­gence (AI), Big Data and In­ter­net of Things – tech­no­log­i­cal vul­ner­a­bil­i­ties have ex­panded ex­po­nen­tially.

In par­tic­u­lar, the so-called In­ter­net of Things (IoT) – a term that is used to de­scribe any­thing and every­thing that is con­nected to the In­ter­net and able to com­mu­ni­cate with other ‘ smart' de­vices – has been vi­tal to the turn­around of busi­nesses, and in re­turn, it has come with im­mea­sur­able chal­lenges in the ar­eas of pri­vacy and se­cu­rity. A ma­jor is­sue around IoT is the vast num­ber of de­vices, says Solling. “We are talk­ing about as many as 50 bil­lion sen­sors and de­vices by 2020. All those sen­sors are cheap, low-cost de­vices – a ma­jor fac­tor as there are so many of them. Give this, how much se­cu­rity do you then think they could de­sign into the hard­ware? An­other prob­lem is the soft­ware: IoT de­vices use soft­ware like any other de­vice on the In­ter­net. Some of them have generic op­er­at­ing sys­tems like em­bed­ded Linux. How do you patch 50 bil­lion de­vices in case of a gen­eral vul­ner­a­bil­ity?” he asks. Un­for­tu­nately we are al­ready be­gin­ning to see the first ex­am­ples of how at­tacks can be per­pe­trated in a con­nected ecosys­tem.

Given these chal­lenges, it is im­per­a­tive for or­ga­ni­za­tions to thor­oughly as­sess their IoT readi­ness be­fore go­ing to mar­ket. First, the ser­vice needs to make sense. While CEOs and CIOs within or­ga­ni­za­tions must fo­cus on how they can in­no­vate in their busi­ness, it won't al­ways hold true that IoT is the only way they can in­no­vate. What is unique about IoT is that it is not nec­es­sar­ily try­ing to in­vent new prob­lems, but tries to solve or op­ti­mize how we do things. An­other very im­por­tant as­pect is the in­tegrity and avail­abil­ity of the ser­vice. The minute you start to in­te­grate with the day-to-day life of in­di­vid­u­als, you need to en­sure that the ser­vice is al­ways avail­able. Fi­nally, and per­haps most im­por­tantly, se­cu­rity; fi­nan­cial in­sti­tu­tions in par­tic­u­lar need to think about the data they are stor­ing, and how they are en­sur­ing it is safe. IoT ser­vices need to be built with se­cu­rity in mind, as any fail­ure to de­liver the same can cause a huge im­pact to the rep­u­ta­tion of a ser­vice.

On the other hand, the tech­no­log­i­cal up­per hand pro­vided by Big Data and pre­dic­tive an­a­lyt­ics can't be de­nied. “Pre­dic­tive se­cu­rity an­a­lyt­ics is a way to an­a­lyze where threats could be com­ing from and who is mount­ing these threats and re­la­tion­ships that they have be­tween them with po­ten­tially the phys­i­cal lo­ca­tion of the threat,” says Che­bib. “Dif­fer­ent el­e­ments of in­for­ma­tion are cor­re­lated to­gether to pro­vide in­sight about the threat to en­able se­cu­rity spe­cial­ists to pre-empt such threats, or to stop it. Big Data con­cepts shed more light and ad­di­tional per­spec­tive in un­der­stand­ing threats and ways to pre­vent them and/or min­imise their risk.” Big Data will also have an im­por­tant role to play in help­ing or­gan­i­sa­tions to iden­tify ar­eas of risk, says Caf­ferty. “What data they have; where that data is to be found; and what lev­els of pro­tec­tion are needed. It's a pro­found trans­for­ma­tion in how man and ma­chine in­ter­act with each other.”

"Gov­ern­ments could do more to as­sist or­gan­i­sa­tions by shar­ing in­for­ma­tion on in­di­vid­ual at­tacks and us­ing it to cre­ate threat as­sess­ments, and ty­polo­gies/case stud­ies." DAVID CAF­FERTY Risk Con­sult­ing Di­rec­tor Crowe Hor­wath UAE Mem­ber Char­tered In­sti­tute for Se­cu­ri­ties and In­vest­ment

Newspapers in English

Newspapers from Qatar

© PressReader. All rights reserved.