A Framework for Effectiveness of Cyber Security Defenses, a case of the United Arab Emirates (UAE). - PDF

Please download to get full document.

View again

of 12
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report

Computers & Electronics


Views: 2 | Pages: 12

Extension: PDF | Download: 0

Related documents
A Framework for Effectiveness of Cyber Security Defenses, a case of the United Arab Emirates (UAE). Abdulla Al Neaimi, Tago Ranginya, Philip Lutaaya SecureTech, LLC, UAE.
A Framework for Effectiveness of Cyber Security Defenses, a case of the United Arab Emirates (UAE). Abdulla Al Neaimi, Tago Ranginya, Philip Lutaaya SecureTech, LLC, UAE. Abstract: Cyberspace has become the new frontier for countries to demonstrate power. Nations that have developed defense tools or those that can successfully launch attacks against adversaries will become the next global superpowers [1], [2]. While cyber threats and attacks by government agencies are well documented, most of the widespread attacks are done by individuals or various hacking groups for personal gains [3]. The UAE has become a major target for cyber conflicts due to increased economic activity, tourism, technology and the rise of oil and gas industry. Furthermore, the wide spread of internet in the region to the tune of 88% in 2014 has exposed it to attackers [3], [4]. Recent attacks against Saudi Arabia s ARAMCO and Qatar RasGas, the Stuxnet attack on the Iranian nuclear plants are often cited as examples [4], [5]. However, in the digital arena no space is out of control by the law, therefore, it is important to guarantee democratic principles in this domain. The fundamental drivers to the cyber security market are geared towards increasing the digital risk from cyber users by creating greater vulnerabilities because of more pervasive utilization of engineering and cloud computing platforms. Previous reports show that the UAE Government is set to double expenditure on homeland security [6]. Consequently, we need to assess whether existing cyber-security defenses are effective and guarantee comprehensive cybersecurity strategies that would uphold the highest security standards in line with the vision In this paper, a critical review of the existing cyber security mechanisms has been done and a framework for effective management of cyber security threats proposed for the UAE government agencies. Keywords: United Arab Emirates (UAE), Cyberspace, Cybersecurity, Cyber-attacks, and Security Framework. 1.1 INTRODUCTION In the world today, cyberspace has become part of the daily life of many people in different societies including industry and government agencies. The continued development of Information and Communication Technologies (ICT), Social media, internet shopping, and online banking has created a powerful economy while enabling borderless exchange of information and media. It is only in an environment of trust and mutual respect that nations can benefit from digital infrastructures through secure, safe and reliable cyberspace. More still, network interdependence, intrinsic asymmetry of cyber-threats and pervasiveness of the cyberspace in different aspects are all features that call for holistic approaches and synergetic efforts from all stake holders to ensure adequate level of security in the UAE. The government needs to approve a framework upon which it can coordinate all efforts to ensure effectiveness and efficiency of cyber security defenses within and outside its agencies. However, with the international community still much divided regarding principles and values that apply to the cyber domain, solutions to major cyber space challenges still remain a major concern and therefore require broad involvement of all stakeholders from public, private sectors and all other organizations across the globe [7]. More still, several attacks like malware, phishing, corrupted programs, password manipulation, 290 computer session hijacking and denial of service have increased massively in the UAE and the Gulf Cooperation Council (GCC) in the recent years. Among such attacks include the August, 2012 attack which affected the major oil and gas company in Saudi Arabia ARAMCO, the Stuxnet worm of 2009 that targeted the Programmable Logical Controllers (PLC) of the Iranian nuclear industry, the Lulzec Sony pictures attack that took bio data of many people [8], [9], the Shamoon Virus that infected over thirty thousand (30,000) stations and destructed business processes for almost a week, among others [10]. The increase in IT security attacks on vital government and industrial data could partially be attributed to the vast amounts of data available in data centers, increased number of mobile subscribers and massive internet connectivity. Additionally, attackers have improved their levels of organization and research especially in the area of cloud security which will be the hub for next generation network data storage. The cyber criminals have also been highly motivated by the recent political instabilities in the Arab region and financial support from some Islamic hacktivist groups. In addition, most recent statistics shows a dramatic increase in UAE cyber security threats. For instance official statistics from Dubai police have shown a dramatic 88% increase in the number of electronic crime cases reported in 2013 compared to the year before. The cyber investigation department of Dubai Police received a total of 1,419 reports in 2013, 792 in 2012 and 588 in 2011 [11]. This trend demonstrates a continued increase in cybercrime within the region as indicated in Fig 1. Fig 1: Statistics showing recent cyber incidents in Dubai. Source: 14/10/2014. From Fig 1 above, the number of security threats reported to Dubai police were analyzed for a period of three years from 2011 to The results show a bigger increase in the number of cyber threats between 2012 and 2013 as compared to the period 2011 to Such results provide a justification for the study leading to the design of an appropriate cyber security framework for detection and prevention of such incidents in the region. Cyber threats can be categorized into two groups; those whose emergency resulted from Internet or the traditional activities of crime and others from Internet technology development, for example, cases of cyber terrorism and cyber theft of highly sensitive data and traditional criminal activities enhanced by computers like stealing intellectual property and sexual exploitation of young children online among others. The authors argue that the UAE residents are a major target for phishing scams. It is therefore, of utmost importance to devise strategies that can be used to combat the cyber security related challenges in the UAE public and private sector agencies as 291 well as protecting the massive innocent citizens online. The rest of the paper is organized as follows; section II provides a detailed study of the existing cyber security attacks and cyber security defense mechanisms and frameworks available globally and the UAE region in particular, section III critically looks at the challenges of cyber security defense, Section IV proposes a framework for cyber security defense in the UAE, while section V and VI provide a discussion of the proposed framework, conclusions and future work respectively. 1.2 STUDY BACKGROUND The cyber security problem has been debated so much in literature over the recent years, for example Aloul [12], reported that in 2010 several users lost their UAE Bank savings through internet fraud. Hackers succeeded in stealing ATM and credit card data from processing companies and adjusted available balances on these accounts. These cards were later distributed to other hackers in target countries to withdraw large volumes of cash. The authors suggested some of the measures for increasing Cyber security awareness in middle eastern countries including the UAE, for instance, by proposing a review of the existing legal system of technology, making workable solutions in regards to preservation of evidence, developing protocols to obtain traffic data, cooperation with ICT industry in developing new technologies to combat hi-tech levels of crime, among others. Regulatory Authority (TRA) successfully defended a series of cyber-attacks that targeted some government websites. The Computer Emergency Response Team aecert managed to neutralize the problem with minimal damage [13]. However, popups, phishing attacks, denial of service, ignorance of users about security threats among others remain a major challenge. The Symantec Report, 2013 on UAE, looks at the extent of the cyber threats in the region. It claims that 17% of People in UAE have been victims of cyber threats, however, there are no analytical results to prove this validity. An extensive study is necessary in UAE to prove this validity [14]. On the other hand, the 2012 UNDP report revealed a very big potential in the Middle East to build strong e-government portals that would streamline communication and reduce operational costs to the tune of 95% with Internet penetration and usage reported at 35.6% by 2012[15]. This trend has continued in the same direction up to today, for instance, the 2014 world internet statistics report showed a considerable increase in the Middle East Internet penetration to approximately 44.9% by the end of 2013 [16]. This is the highest in the whole world which poses a very big cyber security threat to the GCC member states; The national security awareness campaigns launched in November, 2007 by the aecert to protect online information and provide online identity platform has tried to safeguard some of the government critical information by blocking some of the immoral websites from access within the region. This has temporarily reduced the issue of child abuse and pornography. Furthermore, on 22 nd, July, 2013 the Telecommunications 292 Fig 2: Source: Internet World Stats , Miniwatts Marketing Group. From Fig 2; the rapid increase in Internet penetration in the Middle East up to the tune of 44.5% by the end of 2013 shows that the region has become a major target for different forms of cyber-attacks such as malware, phishing and Denial of Service attacks. This calls for an urgent need for strategic frameworks that can be used to protect the big number of people online from such disastrous cyber-attacks. Many organizations fail to address employee and insider vulnerabilities as well as assessment of third party partners and supply chains. Furthermore, they fail to strategically invest in cyber security to ensure that it is in line with their business objectives [16]. The PWC annual global geographical survey 2014, revealed that 69% of the US citizen were worried of the impact of cyber threats. The authors identified 8 cyber security strategies that could be of concern to governments, that is to say; aligning cyber security strategies with organizational objectives, addressing third party security, avoiding missing link in supply chain management, mobile phone security issues such as encryption and device management policies, suspicious employee behavior among others. The report further emphasizes funding processes that fully integrate predictive, detective and incident responsive capabilities [17]. In addition to the above strategies, the 2013 KPMG report on cyber security identified the five (5) common cyber security mistakes that most organizations make when handling the cyber problems; i. We have to achieve 100% security in our organization, ii. When we invest in the best of class technical tools, we are safe, iii. Our weapons have to be better than those of hackers, iv. Cyber security compliance is all about effective monitoring, v. We need to recruit the best professionals to defend ourselves from cybercrime. However, it should be noted that 100% security is not feasible, effective cyber security is not only dependent on technology, good security policies or determined by organization goals. Furthermore, learning is as important as monitoring and finally we need to note that cyber security is not a department but rather an attitude of people in every organization [17]. Therefore, appropriate cyber-security frameworks should strike a balance between any of the above common security mistakes if organizations are to achieve the best security defenses. Real time threats are more sophisticated and so require continuous monitoring by government and all other stake holders due to massive threat to data and proprietary information. Much as governments are trying to keep pace with these threats they have not integrated their security strategies to provide a more complex solution to cyber-attacks. These ever increasing information security threats call for the development of complex cyber security defenses for the UAE government agencies and the entire GCC region at large [18]. As organizations expand their use of advanced security technologies, hackers attempt to break into their security by using the weakest security link or the less-informed computer user. Users are the biggest security threat for IT-Security of any organization, therefore, continuous cultural sensitive training and awareness programs need to be in place to change their perception of information and cyber security. Furthermore, cultural and attitude change in the operations of government employees is needed to make IT security and the ethical use of the state IT resources as ubiquitous as technology since it 293 involves changing the way state employees perceive IT Security. In [19] a comprehensive survey on wireless networks was carried out on thousands of access points in Dubai and Sharjah Emirates in 2008 and 2010, the results of the survey showed that most of them were either unprotected or used the weakest protection techniques. The results showed that 32% of the access points were unprotected while the others used weak security encryption techniques. Such weak security protocols placed on internet access points can expose the people to all forms of cyber threats. A good national identification infrastructure can help the government to obtain credentials of cyber enemies. The UAE government established a strong identity management infrastructure (Emirates ID) to enhance homeland security [20]. The smart identity card comprises security parameters stored on an embedded chip together with a person s physical identity. This has enabled secure e-government transactions and monitoring of the influx of foreign workers since it links a person s electronic identity and attributes stored across a single distinct identity management systems [21]. The government needs to improve the security features on both the emirates and labour cards given to avoid any form forgery by incorporating temper proof RFID features on the cards. Meanwhile, Fadi et al [22], looked at the security concerns of the UAE traditional electrical power grid that will soon evolve into a smart Grid system. They analyzed the vulnerabilities and looked at the current and needed security solutions. One major concern is the under construction Barakah Nuclear power plant located in the Western Region of Abu Dhabi by the Emirates Nuclear Energy Corporation (ENEC) that is set to complete by the year 2020 in order to raise the region s power output voltage from 15.5 Gwe to about 40 Gwe. Power Grids normally face attacks on intelligent devices and physical connections attacks like IP spoofing and denial of service attacks. Therefore, if the UAE grid falls under a cyber-attack it would pose a very big danger and loss to the government and the entire economy. Furthermore, Kaist et al [23], accentuates that nuclear power plants are very important infrastructures for providing efficient and noninterrupted electricity and so require continuous government vigilance and protection. The use of such digitized systems brings new vulnerabilities and threats over the cyber space since they are more dependent on software and networks. Michael and David [24], provide an insight into enhancing cyber security workforce, they propose the need to devise ways of building professionals who can build, manage and secure reliable digital infrastructures and effectively identify plans blended for threats. They presented a model for developing the next generation cyber workforce which combines assessments, simulations, customization and support systems. However, we are not sure if their model can be applied to the UAE Government Agencies since it is not effective for interconnected networks. We need to put in place a framework that can aid the UAE interconnected network systems to jointly detect and control cyber threats and this is the major contribution of this paper. The United Nations Institute for Disarmament Research report, 2013, claims that Government efforts to protect infrastructure and undertake law enforcement in the cyber sphere are complicated by the fact that most infrastructure and assets involved are owned and operated by private sector actors with diverse motivations and competing equities to protect. This complicates the legislation process for instance civil liberties are concerned about protecting people s rights than protecting the privacy of people online. Therefore, the need to incorporate cultural sensitive training and awareness programmes in 294 the UAE cyber security framework is very important as it contributes to changing one s online behavior. The use of edge devices, cloud applications and the increased regulatory requirements has created an urgent need for organizations to advance their security and re-think traditional approaches to stay ahead of the ever escalating risk levels. A new strategic framework is therefore needed to address numerous disruptive trends across the IT landscape in securing data, mobile devices, cloud computing environments among others.the major challenge is to address disruptive technologies and trends like everything connected, social computing and at the same time manage inherent risks [25]. Fig 3: Increasingly sophisticated porous security perimeter. Source: Cyber security in modern critical environments CGI group INC, 2014, page 5. Fig 3 shows a highly connected IT infrastructure environment that combines data flows from mobile devices, critical infrastructures and cloud computing environments. All these provide sensitive data to internal and out sourced data centers under a common back bone. As a result an attack on such an environment would be disastrous to organizations in terms of massive data loses and destruction of critical infrastructure. Therefore, we need to design cyber security frameworks which can protect critical data in such highly connected and distributed network environments. This is the case for the e-government portal of the UAE through which all Government to Citizen (G2C) transactions have been channeled through platforms like the Emirates Identity Management System. Meanwhile, the latest 2014 report by Cisco Systems International reveal that malware encounters have shifted focus to electronics, manufacturing, agriculture and mining industries at a rate six times the average encounter across industry verticals. It is revealed that 99% of all mobile malware in 2013 targeted android mobile devices which are the most used devices in the region. More still mobile devices introduce a major security risk to organizations especially when they are used to access company resources, they easily connect with 3 rd party cloud services and computers with security bearings that are outside enterprise control. This problem is expected to increase especially with the arrival of IPV6 deployments across the globe [26]. It is further reported that by the end of 2014 more mobile devices will be connected to the internet to about 7 billion devices more than the number of people on the planet and in two years time between 15 billion to 25 billion devices will communicate across the internet [26]. This trend implies that governments and organizations would find it extremely difficult to identify and isolate invalid devices trying to access their ICT infrastructure. Authors in [27] assessed the cyber security problem in selected ministries of the Government of Kenya by providing both descriptive and inferential analysis into cyber security assessment. They claim that cyber-attacks are highly sophisticated to the extent of troubling
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks