Exclusive: The Gulf's financial infrastructure is a 'juicy target' for hackers looking to cause disruptions, according to a top security adviser.
Cyber criminals targeting the UAE say officials
The nation's critical financial infrastructure is under constant attack by cyber criminals using increasingly sophisticated techniques to try to disrupt business or steal inside information to sell for cash, top executives say.
Representatives from the country's three stock exchanges said they had not been breached by hackers, but were aware of the growing threat from hackers especially after the unauthorised access of into a system owned by Nasdaq OMX Group in the United States. The group owns the Nasdaq Stock Exchange in New York and a third of the Nasdaq Dubai.
"So many people are coming with different types of attacks, we are preparing for the worst," said Illyas Kooliyankal, the information technology officer at the Abu Dhabi Securities Exchange (ADX). "All the criminals are in the electronic world now. You cannot catch them easily. They are hidden."
In repeated attacks last year, hackers found their way into a web service where directors of companies share market-sensitive information and internal documents with each other, according to a disclosure from Nasdaq OMX. The US Federal Bureau of Investigation (FBI) and Secret Service leading a joint investigation.
Both the ADX and the Dubai Financial Services Authority (DFSA), which regulates companies and the Nasdaq Dubai inside the Dubai International Financial Centre, said they had hired "ethical hackers" to try and break into their systems. This allows them to patch vulnerabilities before they can be exploited by malicious groups.
"I believe the risks are increasing on an unprecedented scale and much of this is due to the increase in access and dependency of technology," said Tony de Cristofano, head of information technology at the Dubai Financial Services Authority (DFSA).
The New York break-ins "demonstrates that no one is immune from such activities", he said.
A spokesman for the Dubai Financial Market said yesterday that it used "rigorous security processes" to protect the exchange and that its infrastructure made it incredibly difficult to hack into.
"Members are connected to the exchange through a private network using complex encryption techniques, going through different layers of security making the hacking to the exchange almost impossible," the spokesman said.
The greatest vulnerabilities to sensitive computer networks come from staff, who are more vulnerable to be tricked into giving up passwords or use unsafe software that infects their computer with a programme that allows someone access to their files.
One relatively new ruse has been for would-be hackers to leave USB data sticks on the ground in parking garages. Curious passersby then pick them up and load them into their computers, allowing hackers access to their files and any computers they connect to.
To combat this, the DFSA does not allow new employees access to the USB port on their computer. Files are cordoned off on the DFSA system so that people in one part of the business cannot get access to files in another part of the business. And the evidence room, full of sensitive material, is only accessible by a small team with security clearance.
Follow our Business tweets - twitter.com/biznationaluae
Last year, the DFSA did a "social engineering test" to see how much information an outsider could get. People were randomly called and asked questions that could help a hacker guess; others tried to walk in and get a look at papers on desks. The tests are useful to identify weaknesses, but they also build security awareness among the staff.
Mr de Cristofano said. "It's a battle between the good guys and the bad guys out there."
What's more, the country's other important infrastructure is also at risk of attack from "cyber terrorists", security experts say.
Alastair MacWillson, the global managing partner for Accenture's technology consulting division, said systems across the UAE were especially vulnerable because of their "connectedness".
"There's whole parts of Dubai connected to a smart city grid and you've got lots of process control such as desalination plants, gas and oil pipelines, almost everything [is connected]," he said. "Even the shipping companies are using some of the most sophisticated scheduling systems to control Dubai ports. There's so much connectedness, it is such a juicy target."
The recent Stuxnet computer worm that was reportedly designed to target computers inside Iran's nuclear programme also revealed the vulnerabilities of industrial machinery. While most of these computers are not connected to the internet, they can still contract viruses from actual machinery or computers brought into the building and connected to an internal network.
Costin Raiu, director of global research and analysis at the computer security company Kaspersky Lab, said the outdated protocols used by oil machinery, traffic lights and even stock trading platforms were a major concern. One such system is called such as Supervisory Control and Data Acquisition (SCADA).
"The danger here is that these protocols are quite old and can easily be attacked by the hackers," he said. "Some of them are so outdated that you cannot change the password because it will shut down the software."
Cyber attacks were moving away from simple theft or fraud toward obtaining inside information that could be sold to competitors or used to blackmail executives.
"The stakes are a lot higher for companies now," he said. "And the financial gains for the hackers are a lot higher than stealing some credit cards."