LEBANON COMPUTER SECURITY A RISK IN MIDDLE EASTThe Daily Star - Business Articles - Mideast increasingly at risk from cyber-crimeMideast increasingly at risk from cyber-crime
Lack of awareness and limited expenditure on security leaves region vulnerable

By Nicholas Noe
Special to The Daily Star
Tuesday, May 31, 2005

BEIRUT: Almost halfway through 2005 and it already seems as though this year will far surpass 2004 as the worst year on record for global cyber-crime. Perhaps more disturbingly, despite having racked up impressive numbers last year - online viruses grew by more than 50 percent and identity theft attempts rose by more than 30 percent - recent reports of widespread breaches at some of the biggest U.S. corporations have finally seemed to offer compelling proof that even the most sophisticated networks are vulnerable to corruption, eavesdropping and outright larceny.

In the Middle East, where experts say awareness of cyber-crimes as well as laws punishing such acts are lacking, the disclosure last week of a major breach of Internet routing equipment widely used across the world has also served to compound concerns that the region's businesses and consumers may be more vulnerable to cyber-crime than is generally acknowledged.

"There is a lack of awareness especially among some of the large enterprises in the region," explained Hussam Kayyal, General Manager Levant for Internet powerhouse Cisco Systems.

"And there is risk because the expenditure that we see on security devices in Lebanon, as one example, is not high. I have also not seen network audits or security audits as a popular service which means that customers are not aware of potential threats."

Cisco Systems recently found itself at the center of one of the largest international cyber crime investigations after engineers discovered sensitive coding for its Internet routing equipment had been stolen earlier last year.

Cisco Systems provides the largest share of the infrastructure upon which Internet traffic is directed.

According to the New York Times, the FBI found that the break-in at Cisco Systems was just the tip of a much larger operation, apparently based in Europe, in which thousands of computer systems were breached, including those serving the U.S. military, the National Aeronautics and Space Administration as well as prominent research laboratories.

Although the holes in Cisco's equipment were eventually plugged, the Times said it was still "not clear how much data was taken or destroyed," as a result of that breach as well as the subsequent breaches that followed.

Although statistics on cyber crime in the Middle East are generally hard to come by, according to one recent survey by Symantec, a leading Internet security provider, among countries with a relatively low number of Internet users, five countries from the Middle East region have been classified as among the top 10 countries vulnerable to hackers' attacks.

These countries are Iran, Kuwait, U.A.E., Saudi Arabia and Egypt. Indeed some of these countries have already been the victims of high-profile penetrations.

In one particularly sensational case in 2003, $5 billion was stolen by hackers from ATMs in the U.A.E. during a prolonged operation.

Even in Lebanon, with its comparatively small number of Internet users, e-mail for the entire .lb domain nearly crashed last year when four of the system's five servers were targeted by attackers who attempted to overwhelm it with requests.

While other such incidents have been brought to light recently, experts warn that the dearth of statistics and publicly disclosed incidents in the region does not mean that strict security standards are being met.

Instead, lax reporting laws in many countries, combined with a lack of rules punishing cyber crimes, often means that companies don't need or don't want to report breaches.

In Lebanon, in particular, "there hasn't been enforcement on security standards from the likes of the

Central Bank," said Cisco System's Kayyal.

"This has slowed down Internet banking here, for example, because of the lack of security guidelines and enforcement. Even if you find a person in Lebanon who hacked into a computer, its difficult to prosecute him," explained Bernard Tabib, security chief for Lebanon's largest Internet service provider IDM.


"In the e-mail crashing case here, no one was prosecuted ... so some companies don't even want to report incidents."

Although certain kinds of cyber-theft, like credit card fraud, are mostly covered by existing statutes, data theft or cyber eavesdropping are among several legal gray areas in Lebanon, as well as in other Middle East countries.

"The problem is if [a hacker] admits his crime here then you can prosecute him. If he does not admit it, it is very hard to prove guilt," said Tabib.

"I don't even think they are following someone who is accessing someone else's computer ... it's only when a charge comes from Interpol or [the breach] is really dangerous to society. So that's our problem in Lebanon: [the authorities] are not dedicated to the Internet."

They are learning though. Although Lebanon may be late to the regulatory game, other countries in the Middle East have not necessarily been entirely prompt in addressing their legal gaps either.

In fact, the U.A.E. announced two weeks ago that a variety of cyber crimes will now carry a maximum penalty of 15 years in prison and a hefty fine.

The law explicitly protects the privacy of Internet users, information systems and online government information and documents, according to a report from Gulf News.

Of course, laws alone won't make the region's networks any safer.

According to the latest research from the Gartner Group, just $20 million was spent in the region on investigating cyber-crime three years ago.

"Official pursuit of the Internet criminal is lacking, which makes it imperative for companies to make their own arrangements to protect their networks," said Jari Valvisto, regional vice president for the security company Stonesoft.

Despite such warnings though, said IDM's Tabib, "Most companies here don't have security polices, that is the problem."
"If you don't have a proper process in place," explained Kayyal, "then one person who decides to have a dial-up Internet access to his office could compromise all the investment you do to build a secure infrastructure in your enterprise."

According to a recent survey by Pointsec, mobile computing devices, in particular, offer an especially vulnerable point in many enterprise security efforts: 40 percent of business users had lost a mobile phone and 25 percent reported having lost a PDA.

The survey showed that more than 50 percent of users save their PIN codes and passwords on their PDA device while 81 percent said they store very valuable business critical applications or information on their mobile device.

"More than 50 percent of malicious corporate network penetrations are now conducted through stolen or lost mobile devices," said Sascha Beyer, Pointsec Middle East and India managing director.

"Policies should be set up on an enterprise wide level that makes it mandatory for all laptop, PDA and Smartphone users to use a security solution with access control and data encryption," she added.

"Every time there is a virus, companies look at upgrading their anti-virus systems rather than thinking what can we

do within our organization," said Kayyal.

"We have seen organizations who have spent a lot of money in the region who have looked at [this issue] only from an IT perspective and not a process perspective. They

discovered that, once they do an audit, they have holes and gaps because they do not have a whole security system in place."