COVERSTORY > IN THE FRONTLINE, ONLINE
IN THE FRONTLINE, ONLINE
40 > QATAR TODAY > MAY 2014
THE MOST SOPHISTICATED AND ADVANCED COMPUTER VIRUSES IN HUMAN HISTORY HAVE ONE THING IN COMMON – THEY ALL HAPPENED HERE IN THE MIDDLE EAST WITHIN THE LAST FEW YEARS, ACCORDING TO OMAR SHERIN, ICTQATAR, CYBER SECURITY DIVISION. BY AYSWARYA MURTHY
QATAR TODAY > MAY 2014 > 41
COVERSTORY > IN THE FRONTLINE, ONLINE
N "WE WERE THE FIRST CERT FROM THE REGION TO BE RECOGNISED INTERNATIONALLY AND JOIN THE 'FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS'. "
HAMID SADIQ Q-CERT Department Manager, ictQATAR
42 > QATAR TODAY > MAY 2014
ot long after the first computers were connected to form a network, the first network propagating worm was discovered. Now malicious code could travel to your machine from anywhere in the world. Since then, the relentless attacks on our personal computers and private information have not only been unabated, the criminals and hackers of the world are devising new ways to get to what they want, helped enormously by the fact that our online presence now is pervasive, detailed and in full view. “Everything is critical information. We are living in a culture of sharing so any and all information we put out there can be collected and analysed to create socially engineered bugs that are specifically targeted at you,” says Husamettin Baskaya, Regional Director at mobile security company Websense. But more unsettling than someone trying to trick you into revealing your password or account number is when they decide to cut out the middle man and directly target the institutions that are dealing with your money. McAfee Strategic Security Foundstone Services, Director of Incident Response and Forensics for EMEA, Christiaan Beek said the Cyber Defense Centre that he is a part of in Dubai is currently working on a rather tough case, one that’s taking a lot of the Centre’s time and best resources to resolve. “This financial company was recently targeted by a very sophisticated, custom piece of malware, fine-tuned for the company. Looking at how it works and the way it spreads, it’s obvious that the group behind it has done their homework and invested a lot of time and money in hopes of remaining undetected and continuing with their crimes,” he says. These occurrences are becoming increasingly commonplace and there is as much chance of eradicating cyber crime as there is of completing doing away with crime on the streets. It’s inevitable, whether you are an individual, a company or even a government, that there will be an attempt to circumvent your defences and damage or steal your data. What matters is that your firewalls hold up to these attacks and, even if they succumb, that the data leak is detected and plugged quickly with seamless recovery. These traits will become more important as more of our critical infrastructure starts to go online, as it unquestionably will. With the buzz around Smart Cities, everything from our electricity meters and traffic signals to burglar alarms and refrigerators can be controlled wirelessly through the
internet. Even if all the doors are locked, a malicious presence could enter your home digitally, through thin air. These are the kind of threats we are increasingly going to have to guard against. Protecting the homefront Qatar is no stranger to cyber threats. With the country accounting for a quarter of global gas exports, any disruption of the LNG industry can have massive regional and global implications. The Shamoon virus, which infected over 30,000 computers in Saudi Aramco in neighbouring KSA, managed to cross in Qatar nine days later and breach the systems at RasGas as well. No damage was done and production was not affected, mainly thanks to good practices within the company which ensured that the corporate and plant networks were separated, according to Omar Sherin, Critical Information Infrastructure Protection Manager at ictQatar’s cyber security division. Moreover, with the political unrest in the region and the increasingly large role Qatar is playing in Middle Eastern and global geopolitics, the country has come under the radar of groups like the Syrian Electronic Army who last year managed to disable several government websites. In light of the Global Financial Index survey, which placed Doha among the top 30 financial centres in the world (and No 1 in the region), it’s not surprising that a lot of eyes are on the vast amounts of money making its way into and out of Doha. Also after the bad press the country has been receiving in the global media due to its labour rights violations, it wasn’t too long before Qatari interests were targeted by “hacktivists”, like the ones who temporarily took over FC Barcelona’s (being sponsored by Qatar Airways) Twitter account earlier this year and broadcast a torrent of rants and accusations against Qatar to millions of followers. But Qatar’s forward-thinking ICT strategy has helped it get ahead of the game. The Qatar Cyber Emergency Response Team (Q-CERT) was formed in 2006 and was the first of its kind in the region. “We were the first CERT from the region to be recognised internationally and join the FIRST (Forum of Incident Response and Security Teams; “a sort of UN for national and qualified private CERTs”). Now, of course, other GCC countries, like the UAE, Kuwait, Bahrain, KSA and Oman, have their own national CERTs and we’d like to think that Q-CERT was a main driver towards this. In fact, when we started talking about safeguarding our critical infrastructure back in 2007,
it was still a new concept, even in some of the western countries,” says Hamid Sadiq, Department Manager at Q-CERT. The cyber security division of ictQATAR has departments that deal with various aspects of online security such as incident response, forensics, threat intelligence, national standards and polices, public infrastructure and training and awareness. Q-CERT’s Incident Handling and Digital Forensics Manager, Mounir Kamal, states that during the last five years there were major incidents targeting important sectors in Qatar, aimed at stealing confidential information to be announced as data leakage or used illegally. These have mainly been possible because of: Detective issues: Targeted attacks that use advanced methodology to bypass security controls like antivirus, firewalls, intrusion detection and other technology solutions which therefore they can’t be detected sometimes. Reactive issues: And more commonly in the country, targeted attacks that may go through a long and slow process, taking a little step each time, that can’t be detected and are easy to get neglected or misinterpreted. This is why organisations report incidents when they are well in their final phases when the impact of incident becomes very clear and, often, public. Q-CERT’s methodology is focused on the 5Ws - What, When, Who, Where and Why. “These 5Ws will give us a clear picture of how an attacker managed to compromise the said personal account, critical infrastructure or even governmental data, and understand vulnerabilities,” Kamal says. Through training and education, the centre also emphasises on “creating a culture of security in the society”. “Advanced attacks or hidden enemies are tricky to detect and sometimes unavoidable due to the advanced methodology they use, targeting all categories like developers, system administrator, security administrator and even regular users, Therefore it is highly pivotal to raise security sense among people and enable them to detect any strange behaviour no matter how small it is.” We were particularly interested to talk to Sherin to gain an insight into the seriousness of the threat to our critical infrastructure and to find out what the government is doing to keep it safe. “Any sector that contributes directly to how life is conducted in the country is considered critical,” explains Sherin. “In Qatar these have been identified as energy,
finance, telecom, government and healthcare. The second tier includes food, water, media, education, etc. This, of course, varies from country to country. The US, for example, has 18 critical sectors like nuclear, railways and postal services.” Next comes formulating a list of the big players who drive that particular sector. “They are not necessarily just the famous names but could be a small company that has a direct impact on the economy. So once the company has been deemed critical, their assets become critical.” The new Critical Information and Infrastructure Protection (CIIP) law will now make it mandatory for these companies to conform to certain standards issued by ictQATAR, which had not previously been the case. “Working with the Q-CERT will no longer be optional and in addition to that, you’ll have to fulfill certain criteria like having someone from your management be responsible for security, have a strategy in place for business continuity and recovery (which has to be periodically audited and tested), have basic incident handling capability and follow a standards like the ISO 27001 or Qatar’s own cyber security standards NIAP 2.0 or industry specific standards like the National Industrial Control Systems Security Standards.” Q-CERT offers a whole package of initiatives that a company can benefit from during different periods in its lifecycle; before, during and after an attack, Sadiq says. When a Qatari company is looking for a trusted partner to respond with a team on the ground, give expert advice and work with the company’s own cyber security team to repel the attack, Q-CERT is a natural choice. “Over the years we have built a great level of trust with the organisations here and they are more willing to share their sensitive information with us, than a third party outside the country. Besides we are based locally and therefore the first to respond and are a free government service.” Furthermore, over the years more than 100 ICS engineers have been trained by Q-CERT, the course entirely subsidised by the government, in protecting industrial plants. “Another way we stay ahead is by coordination and team effort with other CERTs,” Sadiq says, “By nature, CERTs are designed to share and are meant to be hubs of collecting and disseminating knowledge. The GCC CERT in the region meets regularly, as does the Islamic CERT (OIC-CERT). There is even an initiative to establish an Arab CERT.” RSA Regional Director, Turkey, Emerging Africa & Middle East, Ahmed Abdella
"THE ABILITY TO REALLY ZOOM IN ON A COUNTRY AND HAVE A BIRD’S EYE VIEW OF THE COMMOTION ON THE GROUND HAS HELPED THE MCAFEE CYBER DEFENSE CENTRE WARN ITS CLIENTS OF IMPENDING ATTACKS AND FACILITATE FASTER RECOVERY." CHRISTIAN BEEK idirector of Incident Response and Forensics for EMEA at McAfee Strategic Security Foundstone Services
QATAR TODAY > MAY 2014 > 43
COVERSTORY > IN THE FRONTLINE, ONLINE
JOINING HANDS ACROSS BORDERS
NOBORU NAKATANI, THE EXECUTIVE DIRECTOR OF THE INTERPOL GLOBAL COMPLEX FOR INNOVATION, WAS IN DOHA RECENTLY AND WE CAUGHT UP WITH HIM FOR A QUICK CHAT.
"IN QATAR, CRITICAL SECTORS HAVE BEEN IDENTIFIED AS ENERGY, FINANCE, TELECOM, GOVERNMENT AND HEALTHCARE." OMAR SHERIN Head of Critical Infrastructure Protection at ictQatar's cyber security division
44 > QATAR TODAY > MAY 2014
Do you feel the critical infrastructure in this region is more under threat than the rest of the world? When it comes to critical infrastructure, different regions across the world are targets of different types of attack. In recent years the rate of targeted attacks has increased and criminals are strategically choosing their targets based on different key interests. Quantifying the effect of targeted attacks is still very challenging, so it is difficult to make comparisons or judge whether one region’s experience is worse than another’s. Is there a consolidated effort by the international community to come forward to protect assets in the Middle East, which if compromised can have global consequences? The Interpol Global Complex for Innovation (IGCI) is looking to build a network of multi-stakeholder partnerships to the benefit of all regions, including the Middle
says that Q-CERT has been doing a fantastic job because they continually strive to match global standards and best practices by cooperating with and talking to other CERTs and organisations like the ISO in coming up with proprietary standards. “There are similar initiatives in other countries in the GCC but the Qatari government is very much at the forefront when it comes to developing national standards,” he says. A framework for security As part of ictQATAR’s National Information Assurance framework, a National ICS standard has been released; a first in the region, that Sherin explains, is one of their outstanding projects. The National ICS Standards, four years in the making, are reviewed and updated annually, as opposed to other standards which go through the process only once every five years. They are often written in association with the relevant companies and incorporate global best practices and lessons learnt from incidents inside Qatar. The National SCADA standard is now in its third edition. Ashraf Ali Ismael, as the National Information Assurance Manager and Samir
East. The IGCI strives to empower all countries, whether developing or developed, to expand and reinforce their capacity in dealing with cyber-attacks. We, at Interpol, have long understood the value of engaging in a permanent dialogue with our member countries through a vast range of initiatives, such as working groups and capacity building programmes. The IGCI’s objective is to continue along the same lines and to equip all regions of the world, including the Middle East, with the skills and knowledge to conduct digital crime investigations and digital forensic examinations. In May 2013, we organised the 1st Interpol Digital Crime Training Workshop for Middle East and North Africa in Dubai, UAE, which brought together representatives from seven countries to improve their skills in cybercrime investigation. What kinds of cybercrimes will the Global Innovation Complex be especially focusing on?
Pawaskar as the Policy & Strategy Manager, are at the forefront of drafting and publishing these standards. “NIA looks at information security as a structure based on three main pillars - people, processes and technology. We strive to raise maturity levels from the bottom-up when it comes to cyber security - how data is recognised and handled across various levels. A lot of security breaches come from poor processes in handling data in its different states - in process, in transit or stored. So we wanted to build a framework to secure the country without obstructing the flow of information which is the driving force for innovation and creativity. And we not only bring out these regulations, but also provide a training path to help companies implement them and create a list of tools that’ll help make the move, often with the help of private vendors,” he says. Over the years, the NIAF has proposed, drafted and developed several laws, standards and polices which are currently at different stages - some have already been enacted while some are in draft mode. “Among the laws, currently only the E-commerce Law has been published and enacted.
Cyber issues are very complex, covering a broad range of topics and challenges. When discussing cyber issues, one can be talking about issues of national security; espionage; of cybercrime, the list goes on. Interpol’s main efforts in this area will focus on criminal justice rather than national security. The IGCI will implement a threepronged strategy to actively assist national law enforcement in deterring cyber criminals, by harmonising cooperation efforts, developing regional and international capacity, and providing operational support on cybercrime. With prosecutions and arrests so low in cybercrime, what can act as a deterrent? When trying to combat cybercrime, there are three key challenges for law enforcement when trying to arrest and prosecute a suspect: whether countries have sufficient technical capacity to investigate a cybercrime; whether they can access or compile sufficient actionable intelligence to initiate an investigation, information that is often in the hands of the private sector; and whether national legislative frameworks will allow them to share or receive information from other jurisdictions to ultimately
The Cybercrime Law, a MOI Project, is in the approval stages. As you probably know, this is a very sensitive law; and rest assured we want to make the internet safe without making people afraid to use such tools as an enabler to creative thoughts and knowledge acquisition. The other laws waiting to be ratified are the Data Privacy Protection Law and the CIIP law.” The Qatar National Information Assurance Policy is “a comprehensive manual that covers technical and process-related aspects of information security. This is based on ISO standards but localised taking into consideration the country’s uniqueness - culture, sources of national income, industries,” Ismael says. “Right now it is mandatory but not enforced because we are working to build maturity around the importance of compliance. But this will form the cornerstone of every organisation’s ISMS (information security management system) which is what we are all working for.” The truth of the matter is that resistance is natural, especially in business which tend to only look at returns on investment, Ismael says. “ROI is not obvious when it comes to information security and
bring a case against the identified suspect. While it is therefore not a surprise that prosecutions and arrests may be low in cybercrime, it does not mean that rule of law cannot act as a deterrent. Rather it means that these challenges must be addressed to provide a harmonised response to this threat. From our perspective, the solution to this is clear: we need a global alliance, bringing together all concerned stakeholders from the private and public sectors, to tackle this new paradigm shift and place the necessary information and technology into the hands of police. Interpol seeks to implement a Global Alliance against Cybercrime that will focus on three key spheres of action – legislative harmonisation, capacity building, and operational support. We will encourage member countries to develop legislative frameworks that empower police to investigate cybercrime with a view to prosecution. We will work with member countries to ensure that they have the required dedicated resources and expertise to investigate cybercrime. And finally, we will support our member countries during their investigations, sourcing and consolidating intelligence so that they can take action.
it is hard to put a monetary value on security incidents and push for something based on probabilities and what-if scenarios.” This is why it is more effective to educate companies and individuals, rather than enforce compliance, so that they recognise the need for these guidelines and adopt them willingly. The development of each of these standards, based on extensive study, research and forward-thinking that keeps in mind the new threats created by adoption of new technology, is a structured process, Ismael says. “Once the first draft has been drawn up, it is submitted for internal review. Then we invite stakeholders from the industry to review it and collect feedback.” The cycle is repeated until a practical version of the regulations has been arrived at, approved and published. But the work doesn’t end there. “All of the standards are revised every year; sometimes even more than once, especially when emergency updates are needed.” As more and bigger infrastructure start coming online, the need of these industry-specific standards will keep growing. “Many of the mega projects by themselves will constitute a sector, each needing its
"THE QATARI GOVERNMENT IS VERY MUCH AT THE FOREFRONT WHEN IT COMES TO DEVELOPING NATIONAL STANDARDS FOR CYBER SECURITY." AHMED ABDELLA RSA Regional Director, Turkey, Emerging Africa & Middle East
QATAR TODAY > MAY 2014 > 45
COVERSTORY > IN THE FRONTLINE, ONLINE SECTOR-SPECIFIC STANDARDS ictQATAR has worked with several national entities to craft standards specific to various industries. The Banking Supervision Rules developed with Qatar Central Bank Cloud Computing Security mainly targeting government data (Ismael says, "This is still in the draft stages and tries to address issues like what kind of government data can be hosted on the cloud, subject to legal instruments in the hosting country.”) Small Data Centre security guidelines (an alternative to restrictions on cloud hosting) BlackBerry Security Policy for government agencies that use BlackBerry devices e-Health guidelines (which is in the initial stages of draft) NICS standards for SCADA systems Information security for schools and universities which are often a hot-bed of spam Public Wifi Access security guidelines
THE QATAR NATIONAL INFORMATION ASSURANCE POLICY WILL FORM THE CORNERSTONE OF EVERY ORGANISATION’S ISMS (INFORMATION SECURITY MANAGEMENT SYSTEM), WHICH IS WHAT WE ARE ALL WORKING FOR.
ASHRAF ALI ISMAEL National Information Assurance Manager ictQatar
46 > QATAR TODAY > MAY 2014
own standards and policies,” Ismael points out. “Qatar Rail is one such huge project that will require specific attention from us to ensure secure operation of the trains which will all be smart, driverless and guided by computer systems. Regulations would also have to be put into place to govern the safe use of high-speed internet for passengers, the ability to book tickets online, etc.” Additionally, the World Cup 2022 projects would need IT regulations, as would the smart grids and smart meters that Kahramaa is very keen to adopt. “This will lead to efficient use of energy but will also introduce unthinkable new threats to privacy and national energy resources. We have to recognise these and put in place preventive measures to guard against them,” he says. A region under attack “The Middle East has seen the worst viruses in history over the past three-four years. No other region has gone through what we went through,” says Sherin solemnly. “Bugs like Flame, Duku, Shamoon, these are nothing like the viruses that you see at home. They are called APTs (advanced persistent threats), like Stuxnet, the malware that hit the Iranian nuclear facility. It was a targeted attack, designed to work only on the facility’s network. And though many of these originated here in the region, they eventually spread to infect more than 120 countries worldwide, moving through USBs and some are even available for download online.” Beek also says that the McAfee Cyber Defense Centre, which “monitors threats in the region and proactively helps protect customers”, has been busy of late. The ability to really zoom in on a country and have a bird’s eye view of the commotion on the
ground, be it malware threats or botnet attacks or even trading of stolen information like credit card data, has helped the centre warn its clients of impending attacks and facilitate faster recovery, he says. Depending on the size of the company and the scale of the attack, it might take up to seven days to get an infected system back to normal, according to Beek. When it comes to the GCC at least, we carry the sense of security we feel in the physical world to our online world, which has been our undoing, Abdella says. “The reason we tend to lag behind in this region, in terms of cyber security, when compared with other more developed countries in the US and Western Europe, is partly because of this fake sense of security. We leave our cars running on the streets and come back to find it exactly as it was, but this is not how it works online,” he says. And worryingly, the skills and resources required to mount attacks on individuals and companies are becoming increasingly common. “We see more and more tools being published online, more knowledge being shared. Even five years ago, attacking, say a plant, would have been very resource intensive. You’d need a team with different skill sets, coming together to analyse, plan and execute the attack over a long time, using a lot of different kinds of tools and requiring a lot of funding. But this is not the case anymore, which is bad for us, the good guys,” says Sherin. “Some websites will, for a fee, custom-build malware to attack certain software. They even have after sales and customer service support with money-back guarantees,” he says wryly, “Real top of the line service.” In the case of personal attacks, you don’t even have to be smart anymore, it’s
just a matter of collecting information until enough is known about you to create a targeted attack, Baskaya says. And most traditional anti-viruses, be they on PC or mobile, are helpless against this kind of socially-engineered, non-signature based malware. These are often surprisingly easy to create too, because of all the information out there; the region as a whole loves technology, they understand it, it’s culturally important to them and they love to share. It is, of course, possible to stay relatively safe once you establish a code of conduct for yourself when you are online. Companies need to do the same, by implementing best practices and following a recognised set of standards. The ABC of data security EMC Corporation’s RSA provides security solutions to a number of financial, telecom, government and oil and gas companies in Qatar. At an all-day cyber security event hosted by the company in Doha recently, Abdella pointed out some of the ‘pillars’ that each company must put in place to protect its data. “Primarily, it’s most important to have a visibility layer that allows them to see what is happening across their networks and infrastructure, alerting them to anomalies which often happen during an attack,” he says. “Every company can be expected to be attacked one way or the other,” Sadiq echoes, “The internet, by default, is not a secure place and there is no 100% security. A company has good cyber security if it can detect an attack early and recover quickly with minimum damage.” “Secondly,” Abdella continues, “the company needs to have identity management and governance, ensuring that the right people have access to the right information and are authorised to do certain things. Third, there needs to be a governance risk and compliance which has policies in place to track violations and prevent them from happening, thus protecting the company’s
infrastructure, employee and customer information.” The problem lies in the fact that big, old companies have a lot of legacy; they have been running for decades and digital architecture has been continually added on top of these systems, resulting in a delicate balance. There is no doubt, change is beneficial. What was once isolated and proprietary is now integrated. Processes can be monitored, controlled and operated remotely; troubleshooting can be done from thousands of miles away and hand held devices can mimic the plant’s human-machine interfaces. But protecting this architecture becomes increasingly difficult and important due to all the new access points. Mobility is only compounding this problem. And the questions surrounding cyber security in the era of Smart Cities are resonating around the world, with concerns about privacy violations and unauthorised access to devices connected to the network. The attacks so far in Qatar have been very complex and this isn’t likely to change. In recent cases, the perpetrators knew what they were doing and targeted the information they were after with clinical precision. But, worryingly, most of the companies that have applied for Q-CERT’s help in the past “did not have the right protective measures in place”, according to Kamal. “This is normal,” he shrugs, “because it’s still new and not everyone is ready. But, predictably, once they have been hit once, they immediately start to apply information security systems by the book, employing professional teams and processes. And once there is a major incident in the sector, other companies in the industry, wary of being the next, approach us with queries. This has happened in media, government and energy sectors in Qatar in the past,” he says. For many of them, this was long overdue. For those who underestimate the risks, lessons will have to be learned the hard way
MOST OF THE COMPANIES THAT HAVE APPLIED FOR Q-CERT’S HELP IN THE PAST DID NOT HAVE THE RIGHT PROTECTIVE MEASURES IN PLACE.
MOUNIR KAMAL Incidents Handling and Digital Forensics Manager at Q-CERT, ictQATAR
QATAR TODAY > MAY 2014 > 47