From the rising power of the dark net to increased vulnerability through smart city adoption, is the Middle East ready to fight the next phase of cyber crime?

Imagine visiting an Amazon-style online store and on sale you find stolen credit card numbers, weapons, drugs and a range of other similar products. You can buy a gun, pay in non-traceable bitcoins and expect your purchase to arrive wrapped in brown paper the next day. The whole transaction is anonymous - you don't know your seller and no one knows you.

While this sounds very much like a new Hollywood thriller, it is what the so-called 'dark net' looks like. A hidden network functioning invisibly upon the internet that is completely non-traceable and yet to be penetrated by analysts.

The whole concept has clear ramifications, and "it's only a matter of time" before political activists start using it, says Rashmi Knowles, chief EMEA security architect at RSA - EMC's security division.

Speaking on the sidelines of the annual RSA security conference in San Francisco, Knowles emphasises
that cyber crime, especially with the rise of the dark net, is rapidly evolving and poses a huge risk to organisations and governments in the Middle East.

"Once terrorist gangs use the dark net to communicate, more and more people will find out how powerful it is and its usage will go up. It's quite a scary thing and although all the law enforcement agencies know about it, the dark net is very difficult to combat," Knowles explains.

"They [the criminals] have better resources than we have and we don't know where their devices are used from. It's difficult to find who they are, who owns the devices and who uses them. It's all anonymous - nobody uses their real names and everything is traded in bitcoins," she says.

Ominously, she predicts: "A lot of the law enforcement agencies are doing their best to shut them down but it won't be anytime soon."

TARGET: MIDDLE EAST

While cyber security has been a concern for several years now, the gravitas of the problem hit home in the Middle East after the August 2012 attack on Saudi Aramco - in which up to 30,000 workstations were affected.

Saudi Arabia said at the time that the attack was intended to stop oil and gas output at the company, the biggest oil producer in the world, although production was not affected.

The Kingdom did not specify who organised the attack but it is suspected the so-called Shamoon virus, which also hit Qatar's RasGas, was involved.

"The Middle East is the first place where we saw attacks that damaged big corporations financially. In Aramco, the attack damaged systems but nothing was politically done or said by Saudi Arabia despite the massive expenses," says Mahir Nayfeh, senior VP at consultancy Booz Allen Hamilton. "The questions are what do you do? Who do you blame?"

Sectors such as oil and gas and financial services are particularly vulnerable in the region, Knowles says.

In March of this year, cyber security firm Symantec revealed that it had observed a multi-staged, targeted attack campaign against energy companies around the world with a focus on the Middle East.

Researchers detected a new information stealer dubbed 'Trojan.Laziok' with the majority of the targets linked to the petroleum, gas and helium industries. The UAE was the most targeted country worldwide at 25 per cent, followed by Saudi Arabia and Kuwait (10 per cent) and Oman and Qatar (5 per cent).

The research suggested that whoever was behind the attacks could have a strategic interest in the affairs of the companies affected.

"Overall, threats are going up. Also, the types of attacks have changed. Earlier the focus was on custodial data such as stealing credit card information. We will still see those attacks but the bigger threat in the Middle East is cyber espionage, which is stealing intellectual property," says Knowles.

"That's almost a hidden crime - if you lose personal information, you report it. But if you are an oil company and you lost intellectual property about a new drilling platform, you don't report it. Yet it has a huge impact on your operations and that hidden crime is what we don't see in the media."

Companies hesitate to report crimes because there is a stigma associated with it and most organisations are embarrassed that they were unable to prevent the attack, she adds.

Defence Strategies

That culture is, however, changing, with more companies - including those that were attacked - willing to share information.

Sharing technical know-how, even between competitors, is even more vital to smaller organisations. They don't have the expertise or the budget to survive a major attack, explains Christopher Ling, senior VP at Booz Allen Hamilton.

More than two thirds (68 per cent) of organisations in the Middle East lack the internal capabilities to protect themselves against sophisticated cyber attacks, according to recent research by Symantec and Deloitte. Meanwhile, 70 per cent of regional IT decision makers lack complete confidence in their company's cyber security policies.

"For smaller companies it is essential to set up information sharing groups and for the bigger companies, who are motivated for industry preservation, information sharing should be on a more collaborative basis," says Ling.

But while sharing knowledge will help, countering attacks is about more than just identifying them, according to Piero DePaoli, senior director at Symantec.

"It is about understanding who the attackers are and what their motivations are. With threat intelligence, organisations can be better prepared to deal with attacks," he says.

Another key mistake that organisations tend to make is trying to protect all their data, argues RSA's Knowles.

"One of the basic things most companies in the region get wrong is that they focus on protecting everything they have. But you can't defend everything. Spend the budget on protecting your most valuable assets," she advises.

According to Amit Yoran, president of RSA, there are numerous technologies in the market but what is truly required is the change in mindset.

"The real question is - what matters to the organisation? How do you manage risk? Can you protect everything at all times? Don't be naïve - compromises happen every single day," he says, utilising the popular security quote: "There are two types of companies - those who have been breached and those who don't yet know that they have been breached."

Smart City Vulnerabilities

While attacks have been steadily increasing, with the emergence of trends such as the Internet of Things and the era of connected devices and smart cities, the attack surface is set to grow exponentially.

"IoT will expand the attack surface in ways we can hardly even understand and appreciate right now," says Yoran. He cites the example of one of his colleagues in threat research, whose smart light bulb was used to instigate a distributed denial-of-service (DDoS) attack on the rest of his home network.

"These are the types of challenges we are going to be experiencing when we start adopting technologies we don't know much about."

The issue is especially key in Middle Eastern hubs such as Dubai, which are aiming to become smart cities within the next few years. Several government and public departments have already incorporated changes to become 'smart' and offer services through virtual means.

"With smart cities and IoT, the more places you have access to and the more dependent you get on those things or devices, the more prone to attacks you become," states Booz's Nayfeh, citing the instance of self-driving cars, which could easily be manipulated to cause harm.

Not enough thought has gone into the ramifications that connected devices will have on security, he argues.

"In smart cities, traffic, transportation, rail - all these things are connected so there is a huge amount of information that is produced. Add privacy issues into the mix and invariably, you can never build the perfect system. No matter what you do; there's always going to be vulnerability."

The focus should therefore be on returning to service if an attack occurs, adds Knowles.

"The incident response plans are critical. If something goes wrong, how are you going to contain it? If something is shut down, how will it impact the rest? Without any previous practice, it is very difficult to know. The challenge is to make sure that you can remediate out of that and try and keep everyone safe," she says.

WHAT LIES AHEAD?

The alarming surge in the volume and variety of cyber attacks, pooled with greater vulnerabilities and the rise of the dark net is leading the security sphere to seek out military-style strategies and maneuvers to counter the threat. Knowles also acknowledges that ex-military personnel are already being hired to handle cyber espionage at big organisations.

Big ex-military men, counter intelligence, espionage tactics and exceptionally smart criminals - the future of cyber security does indeed have the makings of a great Hollywood movie.

© Gulf Business 2015