Naureen Aqueel

Pakistan’s security landscape

Posted on: July 7, 2009

An edited version of this article was published in CSO Pakistan, July 2009.

The hi-tech digital era has opened the door to a range of possibilities and risks. Where on the one hand we have access to connectivity and easy access and management of information, the risks involved have also increased. Information is now more vulnerable to misuse as more and more of our storage systems become digitalized. In fact, most companies, bodies and institutions now store, collect and process their sensitive and confidential information on computers. The need to protect this sensitive information therefore becomes ever more important in a world where risks to information security are evolving with the same speed and frequency at which the cyberspace advances.

While Information Security (IS) is getting an increased amount of attention lately, the field is still new in Pakistan. Qazi Ahmed, founder of PakCERT is one individual working to secure the Information landscape of the country. Speaking about the awareness about Information Security among Pakistan’s enterprise community, Ahmed recounts, “When I started PakCERT back in February 2000, most organizations had no clue about security. This was mainly because most companies were not relying much on technology and so there were hardly any businesses that could understand the risk of a security breach or downtime. During 2004-2006, security became a buzzword but there was a lack of security awareness and workforce to understand and show the importance of security to the organization. Luckily, during the past two years there is an increase in people taking security as a profession and these professionals are going for industry leading certifications and trainings and thus bringing back security knowledge and showing its importance to their organizations. Security awareness now is far better than what we had back in those years but the enterprise community still needs to adopt a more practical approach leading into the right direction.”

PakCERT Security Services is an organization aiming to provide anyone the means to protect their valuable information assets by giving organizations and individuals direct access to hackers and other IT professionals not usually available for hire. The organization employs the latest exploit codes and techniques the underground has been using for years to exploit networks. It uses the same techniques to harden networks from intruder attacks.

Ahmed is the Pakistani who discovered a critical security flaw in MSN’s Hotmail/.NET Passport services in 2003. “It was April 2003 when while helping my brother reset his hotmail account, I found the hotmail password process a bit insecure and decided to test it since such vulnerability research was never made from Pakistan,” narrates Ahmed. “It took me only a couple of hours and some test email addresses along with HTTP protocol testing tools to discover two serious security vulnerabilities. First vulnerability allowed me to bypass the data of birth verification process and the second vulnerability allowed me to reset any hotmail/msn account and receive the password reset link on my own email address. I made it public in May 2003 during a press conference in Karachi and it was covered by major online and print media. It was very surprising for the rest of the world to know that a Pakistani discovered such a critical security flaw in Hotmail/.NET Passport services.”

Institutions ranging from private businesses, corporations, government bodies and the military all use computers to collect, store and process their sensitive information. Keeping in view the damage that could be incurred on the breach of any of their confidential information systems, it is vital for these intuitions to realize the importance of a proper system of information security for the protection of their valuable information assets. Information security therefore becomes vital for everyday transaction as well as to protect stored information.

With respect to the corporate enterprise, Ahmed sees many loopholes in the security landscape. He attributes this to a lack of training and a lack of awareness among IT professionals and programmers. “Organizations are relying greatly on technology solutions to run their businesses with a keen interest to adopt the latest technology trends,” says Ahmed. “Customized web applications and databases are getting common and so are interactive websites to connect employees, partners and customers and this introduces one big problem; complicated code. Programmers are not properly trained for secure programming and often leave the web application vulnerable to different attacks. At the same time, IT and IS professionals are only trained on vendor products and cannot understand the risks associated with such customized code. Organizations have focused only on external attacks but due to increase in malware, phishing scams and internal threats as well as end user mistakes companies are now trying to focus on internal security as well. Traditional security products and standards which are usually implemented as a silver bullet are failing and companies are now looking for more rigorous solutions like Vulnerability Assessment and Penetration Testing to get a feel of real attacks and see how traditional security controls can be thwarted by hackers and how such vulnerabilities can be fixed for good.”

Ahmed points out that in most local companies security often comes as an after thought and is not given the attention it deserves right from the beginning.  “Even though most companies have traditional security measures in place like antivirus, firewalls and access controls but without proper information security management and auditing, such traditional security measures do not give expected results,” he says. “Most of the time good security practice is an afterthought and sometimes good security practice is taken as a temporary attempt to patch a vulnerability till they get hit by the next one. There are organizations which are very serious about protecting their information assets but are lost in the technology jargons, standards and vendor products. Organizations need to understand that products and standards provide a minimum baseline and not a fool proof security environment. I have worked with many clients some of which had a good layered approach in terms of security with antivirus, firewalls, IDS, VPN, and different IS standards in place to protect their information assets but they lacked proper understanding of technical attacks and were still vulnerable. It is indeed scary but I would share that I still boast of a 100% penetration rate and yes, this means that every organization for which I performed a Penetration Test had a critical security vulnerability leading to a compromise!”

In such an alarming scenario, Ahmed quite rightly stresses the need for proper and separate arrangement for IS in local companies. Most organizations in the country tend to couple budgets together and work for both IT and IS departments. Ahmed strongly disagrees to such practices. “Coupling budgets and work for IT and IS departments would hamper the functionality and priorities of IS department,” he explains. “Just like CFI/CIO/CTO, the IS department should be headed by a CSO/CISO aligning the scope of Information Security with the rest of the business functions with separate budget and work force.”

One of the most common mistakes that organizations make in terms of their security policy and execution according to Ahmed is neglecting the importance of end users. “Organizations neglect the importance of end user when creating security policies,” he points out. “Often it’s the weakest link which breaks the overall information security chain. End user education regarding security awareness is very important. End user is bound to make the same or new mistake again unless the organization regularly conducts security awareness programs to show the role and responsibilities of end users. The security policy is not much of use if it is not aligned with organization’s business practices or if end users are not included as part of the overall security program. At the same time IT and IS professionals must also be properly trained to understand and safeguard against latest attacks. All security controls need customization and fine tuning but are usually implemented out of the box which leaves the organization vulnerable to attacks. I have witnessed organizations having security policies which are only there to get in compliance with some standard and the end users are not even aware about the existence of such policies.”

Yet, the IS scenario in the country is not as bleak as it appears. Describing some noteworthy trends in the field Ahmed shares, “Antivirus and firewalls are a default now and organizations are now moving to IDS/IPS with antivirus engines and spam filters all as a single box solution. Use of NAC (Network Access Control) is also on the rise. The latest trends include compliance with different standards including ISO27001, COBIT, ITIL and even PCI-DSS. Most of the companies are now encouraging their IT and IS staff to enroll in vendor neutral security trainings and write industry leading certification exams like CISSP, CISM and CEH to name a few. Penetration Testing is the new buzzword and companies are realizing its importance and making it mandatory to have their information systems tested at least once a year.”

Cloud computing is a new trend gaining sway in the IT scenario of the country. The great deal of hype about this new technology has caught many Pakistani enterprises in its midst. Shedding light on this new trend Ahmed cautions, “Organizations need to decide how much data they are ready to share with a third party and how much control they would have on the shared data. Economic aspects might make sense but what if the remote server crashes without a backup or the service provider simply bankrupts. These problems are not fiction but several companies have been through such issues with even a greater financial loss as compared to hosting their own applications. A cost benefit analysis is a good area to begin with.”

Ahmed describes the main difference between traditional networks and cloud computing in terms of security issues when using services and applications as the fact that businesses using cloud computing share data with a third party and have to rely on their security controls. “Every time your employees initiate a connection, they are transferring authentication information as well as company data on the internet. During normal circumstances, companies are in charge of their own security but in cloud computing, you need to rely on your vendor. Moving your business to cloud computing means relying and trusting on the whole communication link starting from your employee on the terminal to your vendor hosting applications”

Cloud computing changes the traditional definition of “sharing resources” as it no longer allows as much control of where and with whom the platform of the resource may be shared. This is because the entire foundation of Cloud computing is on the economics of where an app resides and how many other people share the app location with you when it is requested by you. According to Ahmed this involves fundamental security risks. However, he points out that organizations are already sharing their data with third parties by using Google Apps/Gmail for their corporate emails, third party hosting providers for websites, ISPs for internet access and VPNs, different companies for managed services. “You can take certain steps before selecting a vendor,” he advises. “Make sure the vendor is financially strong, already have some good customers, performs regular backups and provides enough resources (bandwidth, processing power, disk space). Vendor should have good security controls in place because as a client you will not be in charge of security on the remote server and you need to rely and trust the security controls put in place by your vendor. Another important point is to make sure that the application and database are portable. What if you lost network access and want to use the backup locally? or what if you decide to change the vendor altogether? You should know how much you are ready to risk, just in case.”

Ahmed is however quick to point out that despite all the advancements in terms of IS, security is not a product but an ongoing process. As new methods to breach security come up each day, there is also a need to develop new methods to combat them. “Despite all the good marketing by every vendor claiming to produce the next big thing, organizations must understand that there is no silver bullet when it comes to security,” he says. “Organizations need a continuous plan to monitor, secure and control their information assets. Having all the standards, security software and hardware in place, the internet is still witnessing worms like Confiker. It is time we realize the importance of security awareness for end users and hands-on vendor neutral trainings for IT and IS professionals so they understand the threats before evaluation a solution.”

With new IS threats evolving each day, it is vital that institutions realize the importance of protecting their information systems and take appropriate measures in time to prevent their information from falling into the wrong hands. For this, IS should be given the attention it deserves by aligning this system with a separate budget and workforce with the needed training, awareness and innovation skill.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

My portfolio

This website is a collection of my published and unpublished articles.

Blog Stats

  • 16,837 hits

Twitter Updates

Error: Twitter did not respond. Please wait a few minutes and refresh this page.

July 2009
« Jun   Aug »
%d bloggers like this: