UAE banks invest in IT security on hacking fears

[InfoSec News <alerts () infosecnews org>]

http://www.business24-7.ae/cs/article_show_mainh1_story.aspx?HeadlineID=2605

By Ryan Harrison 
Emirates Business 24/7  
February 20, 2008

Investment in anti-hacking technology is growing exponentially in the 
UAEs banking sector as the move towards global e-commerce increases the 
threat of security breaches, say analysts.

It is estimated that resources allocated to information security have 
risen by more than 200 per cent year-on-year since 2005.

Greater awareness of the threat among UAE banks is driving the surge in 
investment, said Naveed Moeed, principal technical consultant for the 
Middle East and Africa at RSA, the security division of information 
management group EMC.

We have had huge traction in the banking sector, he said.

Its far and away the fastest growing sector of our business in the last 
three years. Its grown by well over 200 per cent year-on-year in terms 
of revenue.

And practically all that revenue is coming out of the awareness of 
fraud, particularly insider and online fraud.

To secure core banking you now have a package thats tried and tested. 
But providing security for a growing population that wants to use ATMs 
and the internet to do their banking is an ever-increasing task. The 
bigger the banks grow the more they spend on security.

RSA, which provides information security solutions to 90 per cent of the 
Fortune 500 companies, has seen its Middle East client base grow from 
one bank the National Bank of Dubai in 2003 to 40 institutions at the 
end of last year.

We have seen exponential growth from this sector and this reflects how 
banks are reacting to security and how much they see it as leverage for 
accelerating the business. Its also about retaining customers.

Moeed, who was attending the Secur Middle East Congress in Dubai, said 
the extent of the damage caused by a security breach will depend on the 
size of the bank and type of clients it had.

The Abu Dhabi Islamic Bank has more than doubled the amount it allocates 
to information security to Dh15 million from Dh6m in 2006.
 
Ghanem Elshahry, the head of information security and risk management 
there, said the UAE banking sectors increasing global exposure was 
pushing institutions to take tougher measures.

The risk element is coming from opening up to the world, be it through 
internet banking or international expansion, he said.

But we are not pessimistic about this because there are also 
opportunities associated with opening up to the world.

Weve had several attempted attacks in the last year and some attempted 
disruption, but we havent suffered any financial loss. Our budget 
represents about 10 per cent of our IT allocation. UAE banks should 
ideally allocate up to 20 per cent of their IT budget to information 
security.

Banks in the region have become particularly vulnerable to phishing 
attacks in recent years where criminals steal sensitive information from 
unsuspecting computer users.

Hackers try to obtain usernames, passwords and credit card details 
.E-mail or websites used for phishing usually appear trustworthy, but 
are meant to trick people into revealing sensitive information.

Vinod Vasudevan, Chief Technology Officer and Director at security 
company Paladion, said the countrys burgeoning banking industry marked 
it out as a target for hackers.

The threats to banks are moving more towards financially motivated 
attacks, he said.

Attacks in the past year have been mainly phishing attempts, and because 
the Middle East is considered economically strong you have most of the 
financially motivated, targeted attacks.

The reality today is any attack that is happening anywhere globally can 
come quickly into the region.

Five years ago Europe and the United States would be where attacks would 
first surface and there would be a lag before they appeared in the 
Middle East or Asia.

But because of the economic prosperity here any new attack that surfaces 
hits the region immediately. That lag has disappeared.

Paladion, which specialises in security solutions for the financial 
services sector, estimates that a banks budget for information 
precaution in the UAE has grown to 12 to 15 per cent of its IT funding 
up from five to seven per cent two years ago.

A phishing attack can typically lead to thousands of accounts being 
siphoned off in 24 hours, which could mean millions of dollars 
disappearing in one day. The impact will also depend on the number of 
users affected and the size of the bank the larger the bank the more 
transactions they will have.

Last year the Abu Dhabi Islamic Bank faced several phishing attacks, but 
Elshahry said preventative measures had controlled the security 
breaches.

If we suffer from phishing it affects our reputation, so we have 
controls to stop the attackers, he said.

When there is a security breach it affects how customers see us, which 
is a problem for the growth of the bank. If customers do not feel secure 
with the bank they will not continue to deal with us. Plus there is 
greater competition in the region.

RSA says customers of European banks have moved to competitors because 
of concerns about information security.

In Europe the banks that have done really well are the ones putting 
these measures in place, said Moeed.

More customers are moving from certain high streets banks to other high 
street banks because of the technology edge. If consumers feel a bank is 
more secure then they will move to it. At the same time that bank is 
reducing the level of fraud so its net profits double or triple.

Kurt Information Security, which is active in 15 countries, specialises 
in securing data for the oil and gas, telecommunications, banking and 
finance, government and service sectors.

It co-ordinates its Middle East security operations from headquarters in 
the UAE.

CEO Michael Wellington said: Phishing attacks are, for all the big names 
in banking, one of the largest threats today because they attack a huge 
number of end-users. In the UAE the awareness is there but implementing 
solutions that will maintain security is where we believe the challenge 
is. Banks here are doing a lot but there is more to be done, especially 
as competition is growing in the sector particularly from international 
banks.

Ahmed Al Mulla, Chief Information Officer at Dubai Aluminium Company, 
said he was recently asked by his chief financial officer whether his 
information security measures would be adequate if the group were to 
become a shareholder company.

We were working on a roadmap for finance and there were a lot of 
regulations we would have to abide by.

One of the requirements was if we want to go the initial public offering 
route, are we ready?

Were not ready for an IPO from a security point of view because we dont 
need to be. Our CFO was trying to find out where we were as a business.

And, referring to the banking sector, he said: The technology is there 
but the challenge is you need to keep updating the technology.
 

Hiring Hackers

Dubai-based banks are recruiting former hackers to shore up their 
information security systems, said an information technology expert.

Addel Wahab Ahmed Mostafa, an IT consultant and chief of the technical 
committee at information company UAE Data Warehouse PM, said banks were 
hiring hackers in a bid to stay one step ahead of potential breaches.

Most of the big organisations are employing ex-hackers.

In Dubai banks are hiring hackers to protect themselves because how else 
do you protect yourself from hackers?

You must figure out the measures they use and use them yourself.

He said 60 per cent of hacking originated inside organisations or was 
carried out by former employees.

Most hackers like to attack financial organisations as they are the most 
lucrative targets. This activity will grow as the economy grows.


New computer viruses threaten firms in region

Zombies and botnets are the latest threats faced by firms that use the 
internet.

Botnets are software robots or bots that run autonomously and 
automatically on groups of zombie computers controlled remotely over the 
internet by hackers.

These are used to distribute spam e-mail and carry out fraud without the 
knowledge of their owners.

And the Middle East is not immune to botnets the worlds number one 
emerging internet threat according to web security firm Trend Micro.

David Perry, the companys Global Director of Education, said botnets 
were responsible for more than 80 per cent of the worlds spam and 
generated fraud worth more than $1 billion (Dh3.67bn) annually.

The number of web-based threats has increased by more than 600 per cent 
in the past two years and Trend Micro attributes the growth to 
ignorance.

IT users, whether in a professional or consumer capacity, should always 
follow responsible, best-practice internet policies to protect 
themselves from existing and emerging web threats. said Perry.

Tony Larks, Middle East Communications Director of Trend Micro, said: 
The key issue is that company internet security policies are not 
enforced effectively in the region and are not conveyed to users. The 
biggest concern here is that IT users are not aware of internet threats 
the level of awareness is very low.

Larks said in the past 12 months more than five million cases involving 
computer viruses had been detected around the world.

The growth in internet threats is such that professional programmers are 
working for organised crime gangs and they prefer to remain undetected 
for as long as possible. They are playing a longer game, which means 
that by the time a virus is detected they might have obtained access to 
a great deal of sensitive information, he said.

 
Internet use in the Middle East has soared by 920 per cent in the past 
seven years dwarfing the world average of 265.6 per cent, according to 
industry figures.

But the increase has been accompanied by a similar rise in the level of 
cyber crime.

Larks said the region had an advantage over other parts of the world as 
it did not have a legacy of outdated infrastructure.

Some economies like Europe have an IT infrastructure that is 30 or 40 
years old. The cost of upgrading is much more than installing new 
software. So the Middle East has the advantage of having the latest 
internet security technologies, he said. .( Anjana Sankar)


The Numbers

$1bn: The annual amount of botnet fraud 
600%: Increase in the number of web threats


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn