In the summer of 2016, Mohamed Amine Belarbi’s cyber security startup Vul9 began approaching potential clients. He was shocked by the vulnerabilities they found.
His team hacked several companies and found a range of common vulnerabilities. From insecure data storage, such as susceptibility to SQL injections where a database is given instructions to blindly follow, to lagging encryption of company data such as weak user passwords.
Dubai-based Vul9 was ‘ethical hacking’ and Belarbi was surprised at the response. “At least so far, no interaction has not been positive,” he told Wamda.
Cyber security hasn’t yet become a pressing issue for MENA companies, big or small, but they could soon realise that cyber security will be the mother of all problems.
The work of companies like Vul9 are just skimming the surface of the region’s cyber vulnerabilities.
The attackers are busy
In late 2016, security software company Trend Micro released some startling statistics on malware, software that can damage or disable computers, in MENA.
The company was detecting an average of more than 90,000 malwares a month in the UAE - “the highest in the region,” they said. They detected nearly 88,000 in Saudi Arabia, more than 21,000 in Qatar, and Oman averaged at around 10,000 malwares per month.
Equally, when it comes to ransomware, software usually targeting individuals blocking access to a computer system until a ‘ransom’ is paid, Saudi Arabia has the highest threat levels at over 50,000 attacks being detected each month, followed by UAE, and Oman.
New viruses and techniques are being created everyday, says Ihab Moawad, Trend Micro’s vice president for the Mediterranean, Middle East, Africa and Russia. He told Wamda that they see 250 million threats a day, globally.
Most famously in 2012, Saudi Aramco suffered what is labelled the biggest cyberattack in history where 35,000 computers were destroyed within hours; in November 2016 thousands of computers across various government ministries in Saudi Arabia were hacked [apparently the Saudi central bank, the transportation ministry and the agency that runs the country’s airports].
“The Middle East is at the heart of a geopolitical situation where you’ll find a lot of attacks,” says Maher Jadallah, regional manager for security in MENA at Cisco. “Gulf is also oil and gas rich, so it’s going to be the target of big corporations wanting to disrupt it.”
What is Dubai doing?
The number of attacks in the Middle East don’t look good, and companies like Pricewaterhouse Coopers have certainly made a case for the region being massively under threat.
But within the UAE, there are positive moves afoot to begin protecting themselves against cyber threats.
Since 2012, the UAE National Electronic Security Authority (NESA) has been working with Emirati government entities. As a federal authority, they operate under the UAE’s Supreme Council for National Security.
The Dubai government has also employed Cisco to provide the infrastructure for their Telecommunications Regulatory Authority’s (TRA) Electronic Federal Network (Fednet) which will host the UAE government’s Smart Cloud and will connect all federal government entities in the UAE.
The Dubai Electronic Security Center has been in operation since 2014 and part of their mandate is to adopt Information Security Regulation (ISR) across all the government departments within the city. They regularly conduct audits on government entities to assure their compliance with the information security regulation. They cover individuals also.
In December they held their first competition to encourage university students to come up with cyber security solutions.
A recent addition to the UAE cyber security landscape was the announcement of a new education platform called the Cyber Security Center.
Previously set to officially open at the end of 2016, we’re still waiting for the ribbon to be cut.
“There is no company that is providing education or training to both the public and private sectors,” Smart World chairman Dr. Saeed Al Dhaheri told Wamda in October.
Smart World, a smart service provider from Etisalat and Dubai South, is partnering with local cyber security firm The Kernel, to build the center.
The Kernel cofounder Rami Kayyali said education was a big part of the problem, with one example being the number of people still sharing their passwords.
“Lots of employees don’t go through basic security training,” he said. “Twenty percent of the issue is training. People might get themselves some international certificate but it’s not the same in practice. We’re in the process of changing this and adding practical courses.”
Vul9’s now has 14 clients. They are as far afield as India and the Netherlands, some are multinational companies and others are digital startups.
“[Cyber security is] seen as a luxury for them and they tend to deal with it once it happens,” Belarbi said.
“Usually most of the vulnerabilities are not region or area specific, they are technology specific,” he said. “SQL injections, for example, are things ethical hackers and cyber security companies would find in platforms across the world.”
This month Vul9 hopes to launch a platform that will allow companies to give assessment and training for startups. It is now piloting it with Abu Dhabi’s Union National Bank and Federal Demographic Council.
Aside from companies though, government and company policy towards security also needs to take into account individual smartphone users who are automatically giving up data by just having their phone switched on.
The collection of this data by telcos is used for various things. In the case of Dubai’s government, they use it to help with city planning, but how secure are they keeping it?
Du, for example, is working on Dubai government’s Smart City Platform. It’s an initiative that is set to make Dubai a ‘smart city’. Marwan Bindalmook, senior vice president of managed services at Du, says that from day one cyber security has been on the table.
“There are security risks whenever you build any platform,” he says. Following the best security practices will help in reducing these risks, he says, “and finally you will be able to take calculated risks that the government is willing to take.”
The work of these government entities, telcos, startups like Vul9 and Comae Technologies are raising awareness but there’s a long way to go. As Cisco’s Jadallah said “it’s an endless war”.