Security is rarely far from the top of IT directors minds, but two recent incidents have highlighted why it is also a board room issue.

Wikileaks engrossed the public worldwide and enraged governments. When Visa, Mastercard and Paypal announced they would stop processing donations for the whistle-blowing website, hacktivists (hacker activists) waded in and launched distributed denial of service (DDOS) attacks on their websites. The group behind the Operation Payback attacks claimed in early December that the tools necessary had been downloaded more than 300,000 times.

DDOS attacks aim to knock out the targeted site – making it difficult for transactions to be processed and disrupting services – rather than steal data on customers.

The second incident, launched during the summer, was far more sinister, because it was a sustained attack on one facility designed to steal information. Using what is known as a worm, it was mounted on Iran’s nuclear facilities, slowing down the government’s development plans. During a press conference in late November, President Mahmoud Ahmedinejad admitted that the cyber attack had taken place, saying that it had caused a ‘limited’ number of problems to centrifuges used for uranium enrichment. The nature of the attack, widely thought to be using a worm called Stuxnet, should sound alarm bells for the heads of government and private organisations alike.

New threats to IT security

A worm is a malicious programme that replicates itself across multiple systems without needing a host file. Generally it can spread via email, removable disc drives and over networks protected by weak passwords. It will also infect executable files and encrypt data files. Stuxnet itself is extremely sophisticated in its design and was able to seek out specific areas of code with the plant’s computer systems, in this case targeting Germany’s Siemens’ industrial control systems.

Experts expect to see its like again, as cyber criminals change their approach to mounting attacks, and instead of casting a wide net, target specific companies.

While the idea of targeted attacks is not exactly new, the Stuxnet approach is time-consuming and costly to unleash, requiring highly experienced code writers to build. “We would be fooling ourselves if we thought that Stuxnet was a one-off attack and that no one would do it again. It is definitely a risk for critical national infrastructure that governments need to be looking at very carefully,” says Johnny Karam, Mena regional director at security software developer Symantec.

While in the past, many attacks have been widespread, security companies now consider the rise in highly targeted attacks as a key issue for 2011. They expect to see variations of the Stuxnet worm again this year, its purpose to be for corporate espionage – the stealing of valuable company secrets.

“While protection against common malware is well developed and firms understand the risks, there is still a lot to be done about targeted attacks and this is why I consider them to be the most serious threats to businesses at the moment and one that will continue to remain so throughout 2011,” says Costin Raiu, director of global research and the analysis team at security software company, Kaspersky.

IT security policies for firms in the Middle East

If this is the case, then companies around the Middle East need to consider carefully how they will protect themselves. The obvious answer is to ensure IT security systems are in place and kept up to date. But these need to be at various levels of security, not just a firewall or anti-virus software. Security can be in place both at the front and end point of the network.

Examples include the use of software to sweep emails coming in and leaving the mail server. Increasingly companies are turning to third parties to check emails for malicious code before reaching a user’s inbox.

End-point security includes the use of encryption for files and folders, so that if there is some form of illegal access or mobile devices are lost or stolen, company information remains protected.

Equally important is the need for strong IT security policies, particularly with the proliferation of data-centric mobile devices that are now being connected to the corporate network.

With a generation of business professionals expecting to use their mobile devices (phones, tablets or laptops) or portable disc drives such as USB keys for work, and connect them to the company network and have them hold confidential data, the need for strong corporate security policies will become more important.

But security policies are only as good as the rigour with which a company enforces them. If the board is not driving security policies, and employees who flout them are not disciplined, then it will fall by the wayside and again leave a weak point in the defence of an organisation’s data. “Every organisation should define their security strategy. And it’s not just about putting in better anti-virus software or firewalls. You need to provide training for employees and make them aware of the dangers. All the money spent on security will be worthless if there are weak security policies. Organisations need strategic policies and they need to put them in detail,” says Tarek Kuzbari, managing director at Kaspersky Middle East.

In the US in the 1990s, a hacker called Kevin Mitnick became a cause celebre after he was arrested by the FBI for computer fraud. In the days before cyber criminals, his hacking exploits gave him notoriety and once convicted, a five-year prison sentence. His claimed method of breaking into corporate networks was simple – social engineering. He asked the right questions, built up his knowledge and hacked into myriad systems. Today, old techniques for social engineering have been superseded by social networking, making it even easier to gain knowledge on people.

For instance, the security questions a bank asks a customer for verification are often similar to the sort of information people include in their Facebook or LinkedIn profiles.

A site in the US called Please Rob Me used a combination of social networking sites, such as Facebook and Twitter, to show the locations of empty houses. With people prepared to lay bare their lives, it has become easier for criminals to build up knowledge on a person and use that for fraud. Between July and September 2010, Symantec found that credit card details were the most commonly advertised details for sale by cyber criminals.

It means that today, security policies need to take into account that employees may well live their lives online, letting slip information that provides the key for a cyber criminal. There are standards that companies can adopt – ISO27001 is best known – giving an organisation the automated tools it needs to check its ability to secure company data.

Awareness of the need for security is on the rise. Those most at risk are usually those newest to the internet or with weak cyber laws. In countries such as Egypt and Saudi Arabia, there has been a proliferation of viruses and worms.

Current laws in the region, says Megha Kumar, senior research analyst at IDC Middle East, are weak and in some cases in need of updating. While countries such as the UAE and Qatar are being more proactive, current laws in general “are not a major deterrent”, Kumar says.

New technologies for the Middle East

The combination of new, high internet penetration, a flourishing economy and weak internet laws makes users in such countries a prime target. Symantec says that in 2009 (the latest available full-year figures), Saudi Arabia had the highest number of potential worm infections in the Europe, Middle East and Africa region. The UAE and Egypt ranked second and third. Egypt also had the highest number of computers infected with viruses. “Countries that are opening up to the internet are usually a good target,” says Karam.

New technologies will also introduce new issues and this is true with the move towards virtualisation in the Middle East. It adds a layer of complexity because IT heads need to manage both a physical and virtual environment. Gartner estimates that until 2012, 60 per cent of virtual servers will be less secure than the physical servers they replaced. That figure will drop to 30 per cent by 2015, but will still create a headache for IT workers trying to transfer systems to a new environment, while also keeping them secure.

“Virtualisation is gaining momentum. As organisations have more virtual environments there will be security issues, such as their management. There will also suddenly be a large number of virtual servers, creating sprawl,” says Ranjit Rajan, research director for software at analyst company IDC in the Middle East.