BEIRUT: Clad in black converse emblazoned with the Batman emblem, jeans and a bracelet reading “HACKERS,” Jayson Street approached a Beirut bank last week. “I’m the IT guy from headquarters,” he told employees, in a thick American accent.Despite his manifest tech savvy, Street is not an IT guy, per se, and he wasn’t sent from headquarters.
“Once I fixed the computer, the manager was letting me behind the teller line,” he told The Daily Star. “I got an employee to give me his user ID, his password, and I got his smart card for his system.”
He stole a computer from another branch of the same bank in the same way and, in a third breach, worked his way into the bank’s computer room and logged onto their network.
Were Street a criminal, he could have committed a million dollar wire transfer with just a few clicks.
Fortunately for the bank, however, Street is an information security expert paid to test the vulnerability of companies’ networks and databases.
“People pay me to be the bad guy before the bad guy shows up,” Street explained.
“We create that moment saying, ‘This is how bad it could have been if we were the bad guys.’ I call it a high-threat, low-impact event.”
Nearly a year ago, Street and his colleague, Khalil Sehnaoui, established the Beirut offices of Krypton Security, an information security and risk management company.
While Krypton works to secure data for all different kinds of companies, large and small, Street lists financial institutions first in his business pitch.
The regional need for improved digital security is great, say Sehnaoui and Street.
“What has saved the Middle East so far,” Sehnaoui explained, “is that the cybercriminals of the world have not yet realized how easy it is to attack or compromise companies or targets in this region.”
“Once they do, I think there’s going to be a cyber-bloodbath,” he said, where the carnage will consist of “stolen data, downed servers, identity theft, credit card leaks” and more.
Banks in the region, like most companies, are shockingly out of touch with the realities of cybercriminality today, Sehnaoui said.
“They just think, you know, that’s somebody else’s problem on some other continent,” he said.
Ali Nahle, director of the Central Bank’s Information Technology department, disagrees. The Central Bank, he says, actively encourages commercial banks to adapt to the newest threats.
“We push all the banks to use the best systems, the best security, the best database and the best network,” Nahle told The Daily Star.
The Banking Control Commission branch of the Central Bank is responsible for assessing the security of financial institutions and commercial banks, he said. Nahle insists that external auditors send the Central Bank security assessments on each bank in Lebanon every two months.
Commercial banks in Lebanon spend between $500,000 and $1 million on security annually.
The Central Bank has followed suit, Nahle says.
“We invest three times more in security every year,” he said.
Nahle and the Krypton team agreed on some points, however. Part of what makes the domain of information security so complicated is the ever-changing tactics of cybercriminals, both parties said.
“Security isn’t a one-time job. It’s a continuous job,” Nahle said.
“We might be done with our work [at a company] on Monday, but by Thursday they’re vulnerable again because there’s new attacks,” Sehnaoui said. “The attacker is always going to find a new way to attack you for which you’re not going to be prepared.”
Street and Sehnaoui added that to mitigate reputational risk many companies didn’t report when their systems had been breached.
For Nahle, banking secrecy laws make it difficult to gauge how many banks in Lebanon have been successfully targeted by cybercriminals.
Nahle noted, however, that twice in the past two years the Central Bank had detected and stymied organized cyberattacks aimed at stealing information from Lebanese ATM cards.
“Customer data is what’s the key thing,” Street said. “That’s where the money is.”
Alarmingly, however, Sehnaoui said that some companies in the Middle East had invested so little in information security infrastructure that they might not even be aware when a breach had occurred.
“We’ve come across companies that have already been compromised and they didn’t know it yet. It’s like, ‘Oh, you’ve had people in your system for the past couple years.’”
“The main problem in Beirut, and when I say Beirut let’s say the whole Middle East,” Sehnaoui said, is “they don’t really have an awareness that this problem exists.”
Gone are the days when armed guards, safes and surveillance cameras ensured the security of a bank.
“What keeps your company alive, that’s now inside your computer,” Street said. “It’s no longer something that you have to physically guard.”