GISEC 2021: Top security takeaways for the CIO and CSO playbook

Middle Eastern enterprises, governments and consumers are increasingly becoming the targets of sophisticated cyberattacks that are aimed at stealing personal information, proprietary business data and, in some cases, exposing state secrets. At GISEC 2021 in Dubai last week, attendees had the chance to discuss new security methodologies, hear what  more than 180 speakers say about how to protect their data, and check out what more than 150 different vendors have to offer.

The move to remote work caused by the pandemic and recent geopolitical tensions have caused technology executives to scramble to protect their networks. But the technology and nature of cyberattacks are changing and improving.

The traditional approach, where the emphasis is on protecting the most important resources from already known threats, is not effective and, moreover, carries great security risks in general, according to GISEC speakers and attendees.

There is no doubt that security is a priority for tech leaders. Worldwide spending on information security and risk management technology and services is forecast to grow 12.4% to reach $150.4 billion by the end of this year, according to the latest forecast from Gartner.

At GISEC, attendees had chance to hear what experts consider to be the top security threats today, and the latest methods used to fight them. For the first time at the show, a Turkish Cyber Security Cluster, consisting of eight companies involved in cybersecurity R&D, products and services, was on hand, as well as more than 30 companies at the Israeli pavilion.

Ransomware is on the rise

In the world of cybersecurity, new forms of threats and vulnerabilities are constantly emerging. But ransomware is turning out to be one of the most destructive, persistent, and difficult threats to prevent, and the epidemic of such programs shows no signs of slowing down.

Ransomware is becoming a major cybersecurity problem worldwide, including in the Middle East, according to Lalit Shinde, chief revenue officer at cybersecurity company Seceon. Official statistics show what is publicly known but there are cases that are not reported. In the last three months there were hundreds of organisations infected, including educational and healthcare organisations, he said.

Most of the time the affected organization pays ransom although paying is not a good idea, as companies can be attacked again by another ransomware company, Shinde said.

“The UAE is not much into cloud but it is emerging, which is good because we can detect threats quickly in the cloud with the automated SOC [security operations centre] analysis technology we are using,” Shinde said.

The amounts paid to ransomware attackers, and the costs of remediation efforts, are staggering. In 2016, Wannacry ransomware caused a whopping $4.1 billion damage.

“There is no way to fight it because once infected you can’t decrypt the data,” said Ahmed Saleh, a sales engineer at Recorded Future, adding that the solution is to constantly back up data.

He said ransomware attacks on companies in the Middle East are rising. Just last month, two Saudi companies fell prey to the so-called Avaddon ransomware; the companies were hit with a ransom request and had their data published on a so-called extortion site — a special website built to house stolen data, where it is up for sale to the highest bidder.

Some $20 billion of ransom money is likely to be paid to extortion sites globally by the end of this year according to Amitai Ratzon, CEO of Pcysys.

“If we look at the difference between 2020 and 2021 we have seen almost a three- to four-time jump in the absolute amount of ransomware so it’s not a crazy thing to say that that it’s going to grow to up to $60 billion in the next two to three years,” he said.

If before only big companies were hit, now even small insurance or retail companies are also reporting ransomware attacks, Ratzon said.

Up to now security has been about prevention and detection, with tonnes of money being invested in antiviruses and firewalls, but the next decade will be focused on validation, he said.

“The solution is as we say ‘don’t assume, validate’, which means launch ransom attacks against yourself for real and be the bad guy who is working on your network to see how it looks from outside,” he explained.

5G and AI open up new attack vectors

While 5G holds great promise for new enterprise and government services, it also opens up new security risks. Meanwhile, Gulf Cooperation Council (GCC) states will be amongst the first in the world to launch commercial 5G networks.

The AI component of 5G is one aspect of the emerging mobile technology that may introduce vulnerabilities, according to Yuval Elovici, head of the Ben-Gurion Cyber Security Research Center. AI will aid network slicing, which lets operators create different virtual networks over a common physical transport, optimising each network “slice” or virtual segment for a particular service.

Calling AI in 5G a ‘double-edged sword’, Elovici said that while on one hand AI can be used to develop advanced cybersecurity tools, attackers will likely try to focus on the AI component of new networks to defence mechanisms.

“We need to find ways how to make AI most secure against conceptual attacks, to make more it resilient against cyberattacks,” Elovici said. Conceptual attacks, also known as adversarial AI attacks, can involve  nearly invisible alterations to images, speech, and other data for the purpose of fooling AI-powered classification tools.

5G will also lead to more devices being connected, opening up new attack vectors for hackers. Billions of components and systems are going to be connected all over the world, and although 5G is  more secure than existing LTE and other systems, it is not fully secured, said Brig. Gen. (Res.) Rami Efrati, founding member and former head of the Civilian Division of the Israel National Cyber Bureau – Prime Minister’s Office.

“Imagine there are no regulations, you have the same password both for your vacuum cleaner and refrigerator,” Efrati said. “I don’t care if my refrigerator is going to attack my vacuum cleaner but I’m totally afraid if somebody attacks my smart meter and through my smart meter goes to [a] city to take things.”

Common protocols at different layers of the network, and agreement at the national and international level on what they should be, will help application compatibility, and the development of security programs.

“We need to take out our ego and speak to each other and this is going to help,” Efrati said.

Governments around the world have already started.

“We have recently set up this 5G security working group bringing together government entities and private sector to develop a framework of security for 5G among all the OIC member countries,” said Haji Amirudin bin Abdul Wahab, CEO of Cybersecurity Malaysia and board member at OIC-CERT, the Computer Emergency Response Team for Organisation of Islamic Cooperation (OIC) member countries.

He said the group currently has 12 members, including the UAE, and is expected to grow and develop a framework for security that is not vendor-driven.

“We want the OIC to take lead and encourage more entities like governments, vendors, and developers to join and once we have a registry of security risks we will share it with the rest of the world,” he said.

Protecting critical infrastructure is paramount

A dozen Israeli OT (operational technology) and IT companies came together at the show, announcing a consortium whose goal is to develop technology to tackle the targeting and disrupting of critical physical infrastructure. While IT deals with transferring data among computers and humans, OT moves data among physical things such as sensors and manufacturing equipment to monitor and control  industrial processes.

IoT, the internet of things, brings OT and IT together, which increases the possibilities for attacks on IT systems to affect the physical world, and vice versa. “We are trying to address this duality,” said  Michael Arov, head of the Cyber Business Unit at Rafael Advanced Defense Systems, based in Haifa, Israel.

5G, with its superfast connectivity speeds, will encourage the growth of IoT networks, which will form the basis for smart cities that are being built in the Middle East.

The Israeli consortium will strive to find solutions to help protect infrastructure at municipal sites, airports, utilities, and other locations involved in critical infrastructure, Arov explained.

Water facilities are frequently the target for cyberattacks, according to Danny Lacker, head of the Water Security and Emergency Division, Water Authority – State of Israel.

Last year there were several attacks on water and sewage facilities in Israel, though consumers were spared from any consequences, he said.

“We got very good alerts and we managed to handle them. We are using a lot of technologies including advanced detection system and conduct a lot of drills round the clock,” Lacker said.

The right way to fight this kind of cyberattack is for governments and enterprises to share knowledge and work together, he said.

Zero trust security architecture

Zero trust architecture is one of the most common buzzwords in the cybersecurity community these days and it was a hot topic at GISEC. Zero trust is a security architecture that involves verifying every user and device that tries to access the network and enforcing access controls that limit devices and users to access only the resources they need to do their jobs.

Considering emerging technology such as 5G and IoT, the beauty of the zero trust approach is that it can be applied not only to IT, but also to operational technology and industrial control systems, noted Muath Al Homoud, CISO at Tasnee, which has a wide range of activities in industrial services and environmental technologies.

As an increasing number of devices and systems are connected via 5G and IoT systems, zero trust architecture will help bring about a more dynamic and adaptive approach to cybersecurity.

However, road maps will be needed, because it’s not easy to deploy identity and access controls throughout complex infrastructure, Al Homoud said. Network segmentation gateways may help. The segmentation gateway concept calls for taking features of individual security applications and embedding them in single solutions that can then segment and protect sensitive data in network microperimeters.

“We may consider having an incremental way of developing and putting [a security feature] in a segmentation gateway and once it’s working and has been tested we can move another cybersecurity solution into that segmentation gateway,” Al Homoud said.

Zero trust, though, requires an organization to have people with mature security skills as well as the resources to implement such a wide-ranging initiative, Al Homoud said.

“It’s a matter of time but still, we are not there yet. Hopefully soon we will be as there are many applications when it comes to IoT using 5G, such as having augmented reality glasses and managing a whole factory using robotics without human interference,” he said. “I’m optimistic and I think that in the next five years we will … reach that level of maturity where we can fully address these applications,” he said.