Meeting Qatar’s cyber threats: an ongoing challenge
Qatar has some very specific threats facing government entities, says a regional expert. These come from regimes opposed to regional politics as well as those wishing to benefit from industrial espionage, writes Colin Saldanha.
As many attacks occur from inside an organisation, it’s necessary to ensure that all traffic is screened at both the ingress and egress points within a government, says Glen Ogden of A10 Networks Middle East.
Meeting these concerns is a difficult task, one that requires a multi-level approach to security, which provides strength in depth. At the perimeter, securing services with DNS Firewall and ‘Volumetric Attack Prevention’ is critical; internal threats are more difficult
The proliferation of SSL (Secure Sockets Layer), the standard security technology for establishing an encrypted link between a web server and a browser, explains Ogden, has enabled many malicious applications to effectively hide their existence once activated, bypassing existing security methods such as Internet filters etcetera because SSL traffic is encrypted and cannot be inspected.
Governments, like Qatar’s, must enter into discussions with security vendors who have countered this threat by developing highly scalable SSL Intercept technology. This allows government entities to intercept all SSL communication destined for the Internet originating inside an organisation, and strip off the encryption, thus allowing existing security products to fully monitor the payload before re-encrypting the data and sending it to its final destination, should it pass internal security checks.
Existing security products that inspect payload are not suited for this task due to the high volume of SSL encryption/decryption required. Therefore a best of breed technology in this space that can scale regardless of SSL key strength is an absolute requirement if government is to avoid service impact due to performance problems.
A security strategy should always be fully encompassing, dealing with both physical and logical security. Typically, says Ogden, government entities in Qatar have a high level of physical security in place already. Unfortunately, modern threats tend to favour logical security breaches rather than physical penetration of a government entity, meaning that new strategies are required to cope.
“Critical infrastructure and data are often in some ways synonymous, since they both require logical protection, albeit of a very different kind. You cannot protect data if you don’t adequately protect the perimeter, therefore a solution that offers both perimeter protection of firewalls, Domain Name System (DNS) infrastructure must be mirrored by internal protections of applications via Web Application Firewalls (WAFs) and importantly, the ability to inspect all communication destined for the Internet regardless of whether it is encrypted or not,” said Ogden.
Historically, such protection has proved very expensive to procure due to vendors licensing all features on an appliance; this has limited governments, specifically, from enjoying the same level of protection as their commercial counterparts. However some vendors do not have any licensing, allowing any customer to enjoy all the acceleration and security features for a fixed ‘capital’ and ‘operational’ expenditure perspective.
“Unfortunately, government spending on security, beyond Firewalls and Anti-viruses, tends to be viewed in the same way as disaster recovery, that is, only spend after a breach or a failure. In an increasingly connected world, security should be a very high priority for government as e-government is on the rise and both inter-government and citizens mandate their data is both secure and protected. Most CTOs understand this requirement and we are expecting spending on security to increase especially as many government departments are wishing to adopt Cloud services,” Ogden stated.
As attacks increase, a governing body is essential to ensure all relevant parties have somewhere to obtain information. Moreover, any entity that helps define protection standards is typically welcomed by those departments that aren’t able to execute their own due diligence in security matters. It is likely that we will see each state have their own entity and this should be considered welcome by the community as a whole. Even if there is a central body that is set up to regulate defence against cyber-attacks, each government or ministry still needs to take action to ensure the region as a whole is fully protected top to bottom. So while entities are of clear importance, that should not be at the expense of individual government departments ensuring they are adequately protected against the very real threats that the country faces daily.