Experts blame IT spoofing on lack of awareness about digital security

RIYADH, 23 April — Inadequate knowledge of firewalls and other elements of the data security system is rendering some of the Kingdom’s major organizations vulnerable to cyber attacks. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

“One of the problems we have faced is to convince the organizations that they need to update their firewalls. They are not ready to accept that security is an issue, because it requires training and experience,” an IT specialist in digital security told Arab News.

Mujtaba Bhatti of Matrix, an IT specialist firm, was speaking at a digital security seminar here yesterday.  The seminar, held in collaboration with @Stake, an American IT firm, dwelt on various aspects of Internet security to drive home the point that “security is a process, not a product.”

The Council of Ministers decided early this year that a permanent committee should be set up to handle issues connected with Internet security so as to prevent access to offensive material. The need for such a committee has also acquired urgency in the context of the move to promote e-commerce in the Kingdom. All these issues are being examined by the Internet Unit of King Abdul Aziz City for Science and Technology.

Speaking to newsmen after the seminar, IT professionals Bhatti, Rashid Khan, Waqar Anwer and Imran Baig, said lack of expertise in the firewalls system had created the problem of IT spoofing in the Kingdom. “It’s an indirect attack. They use your network to hack someone else, thereby covering their own tracks. One of our customers informed us that his website was used to attack someone else,” Rashid Z. Khan, manager of operations, said.

“There are two types of hackers,” he observed. “First, someone gets inside your system to look at your information. Alternatively, they use your network to hack or attack someone else.”

Asked if the Israeli cyber attacks were still continuing, Waqar Anwer said: “Hacking cannot be stopped. The important thing is to secure your own system against hackers. They (the Zionists) targeted Saudi websites in the past and they will continue to target them, since the Kingdom is a strong supporter of Palestinians.”

He said what renders the security system vulnerable to the cyber attack is a certain firewall sold in Saudi Arabia. “It’s a dangerous situation, because you can hack, change, or do whatever you want to with that weapon. KACST is aware of the problem and is trying to deal with it. But the problem is that Saudi organizations have invested billions of dollars in installing those firewalls in their system. So it’s not that easy to dismantle the system right away.”

The IT experts said Saudi organizations were unable to mount an effective counterattack. The situation was compounded by the fact that Israel was trying to make blueprints of “our networks by the use of scanners. Scanners give you the blueprint of a network and facilitate access to the stored data.”

Baig, a sales engineer, observed that Saudi organizations were not very particular about updating their systems. “They wake up only when their system has been hacked. But most of the time they are not even aware that their data is being stolen or made use of by others,” he said, stressing the need for developing in-house capability in the field of data protection.

Waqar said the main problem was that Saudi companies do not test their security systems on a regular basis. “So what we are telling the participants in the seminar is that if your security is not configured properly, it is useless for them. We are also training the people in the security system.”

Asked about the organizations that have been hacked, he said they include some banks and other large organizations. “The important thing is that you need to remain uptodate with your security gadgets. This seminar is to update them on the state of the art in the data security market.

“ Noting that there was a false sense of complacency on the part of the organizations, Baig said: “Their usual statement is: ‘We were safe during the last six or eight months. It happened only now.’ They take their data security for granted. They don’t go to the Internet site to find out what is happening around in the field of data security. “

They noted that most of the security breaches occur whenever the organizations with a large database or userbase “extend or alter their network. Then they are opening another door for the hackers to come in. Security is a process, not a product. You have to monitor it constantly to make sure that it is working. The firewalls need to be updated periodically.”