cyber trends
that your critical data is separated from
your non-critical data. mentioned, but some of those that we
believe are Iranian but we haven’t named.
I think some organisations probably
haven’t even gone through that process
of saying, ‘what is our critical data?’. And
if you look at our research, but also pretty
much all research in this space, most
attacks still start with a phishing email. I think Kuwait, within that GCC and
Middle East context, is lagging behind
the Kingdom of Saudi Arabia (KSA)
and the UAE in terms of investment and
approach to cybersecurity.
If you get these basics right, you
educate your users, you have multi factor
authentication, suddenly that initial hurdle
to get into the environment through
phishing becomes so much harder.
How much of a role does
education and ongoing training
have to play?
I think it’s key for a couple of reasons.
You can always debate whether end
users have responsibility, and we would
say they do, but of course they’re not
experts, so they can always be tricked
and you can’t blame the end user
sometimes for falling for what’s quite a
sophisticated attack.
Educating end users will increase the
bar but I think educating executives is
really important – they’re not technical
specialists, but they are responsible for
the business impact.
If you look at public attacks like
WannaCry or NotPetya, there were
organisations caught up in that where
the total bill was over one billion dollars
so we’re talking huge business impact.
At the time it hit, executives might not
have even been aware what ransomware
is or how it works.
So education is key, not just for end
users but for executives, who have to
invest in and take responsibility for the
security of an organisation.
Are there any particular
threats to Kuwait organisations
or any difference in
cybersecurity approach?
We’ve seen a lot of targeting of
government entities in Kuwait. And that’s
with both the known APT groups I’ve
www.intelligentciso.com
|
Issue 20
It’s definitely being targeted. We’re
seeing quite a lot of what look to
be successful attacks from Iran, in
particular, against Kuwait. And I think at
some point we’ll expect to see the same
realisation and change in approach
within Kuwait that we are seeing
elsewhere in the GCC.
If you look at the UAE and KSA in terms
of government investment and support
these are way ahead.
Can you offer insight into what
it’s like to be working on the
frontline of incident response?
We always have the issue that no one’s
ever pleased to see us – we’re always
there because they have a problem.
It tends to be that we’ll get a call, often on
a Thursday or Friday night, from someone
in a panic, who has a significant problem.
So that’s the start point.
I think we then always have our own
education piece because often we’re
dealing with, let’s say the technical team
or a CISO, who understands what a
cyberattack is but not how it’s going to
play out.
They’ve got one system that’s behaving
oddly and they want us to focus on that
system. Quite often when we see APT
34, for example, they will have either
tens or sometimes hundreds of systems
that they’ve compromised.
I think the most difficult part of being on
the front lines is you’re constantly giving
more bad news to the victim, until they get
this full realisation that it’s not likely to be
just one system or few systems, it’s likely
to be network wide, multiple systems and
multiple accounts. In the worst cases,
we’ve seen attackers have been in an
environment for up to five years.
Are there any emerging
threats that CISOs should
be preparing for?
One would be around
a DNS hijacking
campaign. I think one
of the issues we’ve had
getting entities to take this
seriously is that it sounds very
technical but really, in summary,
we’ve got attackers who are
managing to divert all traffic for a given
organisation, or in some instances a
given country.
And then they have access to all of that
traffic including the encrypted portions
of it. I think one of the reasons that it
hasn’t come to the fore previously is
because it also can happen outside
of the victim network so the victim is
investing in technology and they think
they’re secure but someone’s managed
to compromise their DNS admin panel
and they’re diverting traffic outside of
the network.
The reason it becomes really important
is that, if one of those servers is an
email server or VPN server, or remote
access, the attacker gets to collect all
of the passwords and even the second
factor authentication of everyone that’s
logging in to that server while they re-
direct the traffic.
There’s some really simple steps that
you can take to mitigate that in terms of
multifactor on your DNS admin panel.
So, we’re urging people to look at that
as a key theme from the year.
There are also information operations
where we’re seeing multiple nation
states, but also other politically motivated
groups, pushing out misinformation.
And sometimes that can also be used
to target individuals, so you will see
inauthentic social media accounts used
to make contact with people.
That’s a new methodology of phishing as
well. So, broadly, inauthentic media and
information operations are areas which
haven’t featured prominently to date but
I think people need to be aware of. u
21