CSO talks to Faiz Ahmed Shuja, someone who’s been part of the IS scene in Pakistan for almost a decade!
In your opinion, does the Pakistani enterprise appreciate the critical importance of IT Security?
I think local enterprises give a lot more thought to IT Security than they used to in the past. Could they give it importance at the highest level? Yes, but it has climbed up substantially in past few years. I believe it is all part of an awareness building process and situation will improve gradually. We do, however, need to accelerate this process.
Do you think the IT Departments, CIO or CSOs currently in Pakistan are able to justify the ROI on security solutions or audits for their organizations? Do you think it has gotten any easier to sell security over time?
Information Security has now become important for every business. Today, if a C-level executive is not able to sell security to the board, I would say he shouldn’t be there to begin with. As I said earlier, it’s part of the awareness process. You have to sell security from top to bottom and it has gotten easier over time but I would recommend that CIOs and CISOs go through their in-depth process of evaluating their security requirements on an annual basis and sell it to the board.
What are some of the biggest threats that an organization has to face vis a vis IT Security?
IT Security threats are becoming more sophisticated every day and organizations really need to prepare themselves to handle such threats. Either organizations should have a trained security team internally or a trusted external partner who is able to protect them from sophisticated security threats. Some of the biggest security threats in 2007-2008 have been:
• Targeted phishing attacks – to extract confidential and critical information.
• Identity theft – bots passively sit into computer for four to six months, gather user’s activity and use it later on .
• Malicious spywares / Botnets – now with the flux networks, it has become more difficult to track attackers.
• Web application attacks – substantial growth in web application attacks, such as cross site scripting, SQL injection, file inclusion.
• Insider attacks – this will probably always stay on the list.
• Client-side attacks – malicious websites that exploit browser vulnerabilities and gain access to the system.
• Mobile phone threats – now with the increasing use of mobile devices to check emails and browse internet, mobile devices will be attacker’s next target.
With every organization that has a customer base (which is essentially everyone!) vulnerable, could you give examples of enterprise-level organizations that would benefit with the implementation of honeypots?
Honeypots can be deployed in any organization who wants to learn about the tactics and motives used by attackers targeting their IT infrastructure. They can help organization understand the threats towards them and take measures to protect from them accordingly. There are various types of honeypot implementations now which organizations can deploy and learn about the attackers.
Could you give some examples of some vulnerable systems that could have been exploited? The example of LESC.info or PKNIC.net.pk where websites provided access to personal information stored online in their databases come to mind… Any others?
Web application attacks are one of the top threats being faced these days. We have observed that 60 to 70% dynamic and database driven websites of various organizations in Pakistan, ranging from top financial institutions to small-medium si