Mobile  |  About us  |  Photos  |  Videos  |  Subscriptions  |  RSS Feeds  |  Today's Paper  |  Classifieds  |  Contact Us
The Daily Star
MONDAY, 21 APR 2014
12:37 AM Beirut time
Weather    
Beirut
18 °C
Blom Index
BLOM
1,214.01down
Lebanon
Follow this story Print RSS Feed ePaper share this
Cybersecurity risks loom for Lebanese banks
File - An ATM machine, Thursday, Oct. 27, 2011. (The Daily Star/Mahmoud Kheir)
File - An ATM machine, Thursday, Oct. 27, 2011. (The Daily Star/Mahmoud Kheir)
A+ A-

BEIRUT: Clad in black converse emblazoned with the Batman emblem, jeans and a bracelet reading “HACKERS,” Jayson Street approached a Beirut bank last week. “I’m the IT guy from headquarters,” he told employees, in a thick American accent.Despite his manifest tech savvy, Street is not an IT guy, per se, and he wasn’t sent from headquarters.

“Once I fixed the computer, the manager was letting me behind the teller line,” he told The Daily Star. “I got an employee to give me his user ID, his password, and I got his smart card for his system.”

He stole a computer from another branch of the same bank in the same way and, in a third breach, worked his way into the bank’s computer room and logged onto their network.

Were Street a criminal, he could have committed a million dollar wire transfer with just a few clicks.

Fortunately for the bank, however, Street is an information security expert paid to test the vulnerability of companies’ networks and databases.

“People pay me to be the bad guy before the bad guy shows up,” Street explained.

“We create that moment saying, ‘This is how bad it could have been if we were the bad guys.’ I call it a high-threat, low-impact event.”

Nearly a year ago, Street and his colleague, Khalil Sehnaoui, established the Beirut offices of Krypton Security, an information security and risk management company.

While Krypton works to secure data for all different kinds of companies, large and small, Street lists financial institutions first in his business pitch.

The regional need for improved digital security is great, say Sehnaoui and Street.

“What has saved the Middle East so far,” Sehnaoui explained, “is that the cybercriminals of the world have not yet realized how easy it is to attack or compromise companies or targets in this region.”

“Once they do, I think there’s going to be a cyber-bloodbath,” he said, where the carnage will consist of “stolen data, downed servers, identity theft, credit card leaks” and more.

Banks in the region, like most companies, are shockingly out of touch with the realities of cybercriminality today, Sehnaoui said.

“They just think, you know, that’s somebody else’s problem on some other continent,” he said.

Ali Nahle, director of the Central Bank’s Information Technology department, disagrees. The Central Bank, he says, actively encourages commercial banks to adapt to the newest threats.

“We push all the banks to use the best systems, the best security, the best database and the best network,” Nahle told The Daily Star.

The Banking Control Commission branch of the Central Bank is responsible for assessing the security of financial institutions and commercial banks, he said. Nahle insists that external auditors send the Central Bank security assessments on each bank in Lebanon every two months.

Commercial banks in Lebanon spend between $500,000 and $1 million on security annually.

The Central Bank has followed suit, Nahle says.

“We invest three times more in security every year,” he said.

Nahle and the Krypton team agreed on some points, however. Part of what makes the domain of information security so complicated is the ever-changing tactics of cybercriminals, both parties said.

“Security isn’t a one-time job. It’s a continuous job,” Nahle said.

“We might be done with our work [at a company] on Monday, but by Thursday they’re vulnerable again because there’s new attacks,” Sehnaoui said. “The attacker is always going to find a new way to attack you for which you’re not going to be prepared.”

Street and Sehnaoui added that to mitigate reputational risk many companies didn’t report when their systems had been breached.

For Nahle, banking secrecy laws make it difficult to gauge how many banks in Lebanon have been successfully targeted by cybercriminals.

Nahle noted, however, that twice in the past two years the Central Bank had detected and stymied organized cyberattacks aimed at stealing information from Lebanese ATM cards.

“Customer data is what’s the key thing,” Street said. “That’s where the money is.”

Alarmingly, however, Sehnaoui said that some companies in the Middle East had invested so little in information security infrastructure that they might not even be aware when a breach had occurred.

“We’ve come across companies that have already been compromised and they didn’t know it yet. It’s like, ‘Oh, you’ve had people in your system for the past couple years.’”

“The main problem in Beirut, and when I say Beirut let’s say the whole Middle East,” Sehnaoui said, is “they don’t really have an awareness that this problem exists.”

Gone are the days when armed guards, safes and surveillance cameras ensured the security of a bank.

“What keeps your company alive, that’s now inside your computer,” Street said. “It’s no longer something that you have to physically guard.”

 
A version of this article appeared in the print edition of The Daily Star on January 20, 2014, on page 5.
Home Lebanon
 
     
 
Lebanon
Advertisement
Comments  

Your feedback is important to us!

We invite all our readers to share with us their views and comments about this article.

Disclaimer: Comments submitted by third parties on this site are the sole responsibility of the individual(s) whose content is submitted. The Daily Star accepts no responsibility for the content of comment(s), including, without limitation, any error, omission or inaccuracy therein. Please note that your email address will NOT appear on the site.

comments powered by Disqus
Story Summary
Clad in black converse emblazoned with the Batman emblem, jeans and a bracelet reading "HACKERS," Jayson Street approached a Beirut bank last week.

Fortunately for the bank, however, Street is an information security expert paid to test the vulnerability of companies' networks and databases.

Nearly a year ago, Street and his colleague, Khalil Sehnaoui, established the Beirut offices of Krypton Security, an information security and risk management company.

The regional need for improved digital security is great, say Sehnaoui and Street.

The Central Bank, he says, actively encourages commercial banks to adapt to the newest threats.

The Banking Control Commission branch of the Central Bank is responsible for assessing the security of financial institutions and commercial banks, he said. Nahle insists that external auditors send the Central Bank security assessments on each bank in Lebanon every two months.

The Central Bank has followed suit, Nahle says.

Street and Sehnaoui added that to mitigate reputational risk many companies didn't report when their systems had been breached.
Related Articles
 
 
How rumor sparked panic in Chinese city
CSR Lebanon: Banks should support startups
More from
Elise Knutsen
 
 
Syrian army attacks isolate border enclave
 
 
Fine dining, without the silver spoon
 
 
Safe in Lebanon, but never at home
 
 
Echoes of wedding bells at Dina Jsr’s boutique
 
 
Kids carnival launches Lama Salam’s Date at the Serail
Entities
Advertisement


Baabda 2014
Advertisement
Follow us on Facebook Follow us on Twitter Follow us on Linked In Follow us on Google+ Subscribe to our Live Feed
Multimedia
Images  
Pictures of the day
A selection of images from around the world- Saturday April 19, 2014
View all view all
Advertisement
Rami G. Khouri
Rami G. Khouri
Why Israeli-Palestinian talks fail
Michael Young
Michael Young
Why confuse gibberish with knowledge?
David Ignatius
David Ignatius
Echoes of 1914 characterize the Ukraine crisis
View all view all
Advertisement
cartoon
 
Click to View Articles
 
 
News
Business
Opinion
Sports
Culture
Technology
Entertainment
Privacy Policy | Anti-Spamming Policy | Disclaimer | Copyright Notice
© 2014 The Daily Star - All Rights Reserved - Designed and Developed By IDS