Cyber Security in the GCC: Cyber Security in the GCC: Are we doing The Best We Can? Are we doing The Best We Can? Varun Kukreja Varun Kukreja Sr. Security Consultant Sr. Security Consultant CISA, CISSP, ITIL CISA, CISSP, ITIL GBM GBM
A Brief History of Hacking 2010s 2000s 1990s • Stuxnet worm attacks Irans Nuclear Facility 1980s 1940s / • Bank of America • ILOVEYOU Worm website hacked, introduced, 85000 credit cards affecting millions of 1960s and accounts computers • 1260 or V2PX - stolen 1939 • DOS attacks First virus is • Playstation Network introduced targeting created taken offline, with domain servers • $10 Million were • New York Times 1903 77 Million PII • Anna Kournikova siphoned from describers the term leaked virus is released Citibank and hacker • Bangladeshi hacker • René Carmille, • Hacktivist group transferred to • Ian Murphy is made a record in hacked the Anonymous was multiple accounts convicted as first defacement history punched card formed throughout the felon for breaking by hacking 700,000 machines to save • Turkish hacker world into AT&T • Bombe Machnine is websites countless jews from iSKORPiTX • AOHell is released Computers developed. Enigma • Saudi hacker, death camp successfully hacks resulting in • The term ’Trojan • Nevil Maskelyne is broken by Brute published over 21,549 websites readymade Horse’ is coined as disrupts John force attack 400,000 credit • Phreaking boxes • FBI Finds 1 Million application for security exploit Ambrose Fleming’s cards online emerge Botnet Victims script kiddies • Computer Fraud demonstration by • Foxconn is hacked. • Password • Anonymous • Hackers alter the and Abuse Act is sending insulting Massive data vulnerability in IBM attacks Scientology websites of US released Morse code leaked online 7094 is found website servers DOJ, CIA and Air • First National Bank messages through • Elite hacker sl1nk around the world Force of Chicago is the auditorium’s announced that he • Google reveals of • Yahoo notifies subjected to a $70 projector. has hacked a total their IP theft users that they may Million Dollar of 9 countries have downloaded a computer theft SCADA systems. logic bomb • CERT is formed • Qatar National Bank Hacked, data leaked
Motivations Espionage Corporate / Government espionage is one of the biggest factors for hacking today, rival organization’s or governments pay money to hackers to compromise critical information EXAMPLE: STUXNET HACK Money Challenge Many hackers perform hacking related Some hackers create malwares and activities only to gain financial perform hacking activities for gaining information that they can either use for knowledge on the organization and to themselves or sell it to a buyer at a face new challenges that they want to price overcome EXAMPLE: BANKING HACKS EXAMPLE: Social Issues Fame Many hacker groups have emerged that Hackers are known for openly constitutes of various hacktivists that claiming hacks conducted by them want to address social issues and target on social media websites and various various companies and governments other forums EXAMPLE : ANONYMOUS GROUP EXAMPLE: Destruction Curiosity Some hackers are fueled by revenge Many hackers start as ‘Script Kiddies’ and just intend to destruct the by using various tools freely available opponent on the Internet EXAMPLE: AOHELL Tool used by EXAMPLE: ASHLEY MADISON Newbies HACK
More Connected Devices / Services, More Hacks • Around 40% of the wi world population has an internet connection today. In 1995, it was less than 1% • The number of internet users has increased tenfold from 1999 to 2013. Devices / Services • The first billion was reached in 2005. The connected to Internet second billion in 2010. The third billion in 2014. • Gartner report suggests that it will increase to 20 Billion Devices by 2021 Your Logo
Personal Connected Devices in the GCC 70% of Professionals in the GCC carry more than 3 connected smart devices Source: GBM
Digital Empowerment in Bahrain Education
Changes in the Threat Landscape in the Middle East Hacker holds UAE bank to ransom, demands $3m - Gulf News Hackers steal $1bn in series of online bank thefts says report Report: Iranian hackers hit Qatar during two-year campaign ... doha news.co/report-iranian- hackers -hit- qatar -two-year-campaign/ Kaspersky Lab sheds light on “Darkhotels”, where business executives fall prey to an elite spying crew 10 Nov 2014, Virus News
New Challenges in Security Data is Physical and Computer Aggregated Cyber are Power is and Available Blending Limitless
Key IT Security Challenges Hackers & Attack Sophistication IT Security Compliance & Risk Mitigation Security Intelligence, Monitoring & Management People Data Application Infrastructure Virus, Zero Day BYOD Leakage & Loss Webification Remote Access Malware Roles & Secured Eavesdropping Source code bugs Guest Access Responsibilities Connectivity Recruitment, Data in Rest / Training & Spam Internet Security Physical Access Motion Awareness
Mixed Confidence Executives Not Sure in Ability to Contain Compromise
Even the basics aren’t covered. Less than half security practitioners leverage security tools • Identify Admin and Provisioning • Patching and configuration • Technical Assessments • Quarantine malicious apps
Public Breaches Can Improve Security. More organizations conduct security training after an incident
Maturity : Budget Constrains Rank High
Problems that we have observed • Cyber Security is still considered a part of IT • The blind belief “This cannot happen to me” • Lack of Security awareness campaigns in organizations • Security is “Plug – And – Play” like an appliance • Not investing enough in Business Continuity • Reactive approach than Proactive
What can you do? Proactive Vs Reactive • Define Baselines Security • Process and Ownership policies • CISO Identify • Risk and Vulnerabilities Compliance team • By People, Processes • Management and Technology focus • Periodic external assessment Remediation Plan Program Improvements • Risk • Ensure regular Management and repeatable • Impact process Analysis • ‘Fix’ the risks Security Awareness Continued Focus • Spread awareness on how to be • Monitor and Measure more secure • Identify new trends and • Via various medium like poster, adjust approach accordingly newsletters etc
Varun Kukreja Sr. Security Consultant
Recommend
More recommend
