By Nahil Mahmood
How effective is the practice of information security in industry in Pakistan? Let’s examine this very question by exploring various factors which influence the successful implementation of information security in an organization.
- The information security in the perspective of local industry is facing challenges such as limited IT budgets, dearth of experts—as highly qualified and trained resources move to greener pastures—and lack of skills among computer science graduates.
- A blessing in disguise? Our banking system is protected interestingly not by its high level of security protection, but by its archaic capabilities which leads to low interest of the hackers.
- Are we keeping up with the developing and fast changing technology? The much needed awareness in the wake of proliferation of the cloud, mobile and social media frontiers also seems missing.
Information security in today’s organizations
Organizations today rely on Information Technology (IT) as the engine to automate their businesses. A range of IT business applications drive the delivery of service for customers of an organization. For example, a retail grocery store chain with multiple outlets spread across different geographical locations relies on its point-of-sale (POS) software to bill customers, manage cash position, and keep track of inventory levels so that fresh supplies may reach the outlets in time. With the help of this IT automation through business applications, the velocity and scale of the business, and quality of customer service may be greatly enhanced.
Information security is protecting the confidentiality, integrity, and availability of information and information technology infrastructure of an organization, through which the organization will deliver service to its customers. Taking the example of the retail grocery chain, the organization will want to protect its confidential sales and financial data from theft or disclosure, and the integrity of the application should be accurate and protected from tampering so that correct inventory data can be reported back for effective supply chain management. If the application processing is inaccurate or tampered with, the wrong inventory quantities and types may reach store locations, leading to wastage of goods and financial loss. Finally, availability refers to the IT applications and network services being available when needed so that customers do not have to wait in line while the network is unavailable.
Information security and related challenges
Effective implementation of information security for an organization to protect its intellectual property and IT assets depends on a number of factors. Many of these factors are linked to the presence of a suitable and healthy enabling ecosystem which may propel the successful implementation of an information security program within an organization.
As with other technology and IT domains, the expertise level of information security professionals in Pakistan suffers the typical challenges—highly qualified and trained resources usually move to greener pastures for lucrative assignments in the Middle East or to developed economies in the West. Moreover, the limited IT budgets available with local organizations and limited market size compared to regional economies prohibit the most advanced information security products and features to be deployed in Pakistan. Thus, high-caliber information security professionals educated and trained by the local industry in Pakistan see limited professional growth in the country after the first 7-10 years of experience.
The same factor affects local and multinational security vendors in the country. Complex information security IT tools are expensive (take ID Management for example), and require experts for architecture and design work for implementation. These architecture and implementation experts will more than likely be located in a more lucrative and larger regional market and will generally be reluctant to visit Pakistan for project execution owing to physical security implications and poor media image etc.
An important factor related to the advancement of information security and security technology in the country is the nature of the local IT industry itself. The IT industry in Pakistan is predominantly a consumer industry, buying products of Western companies with negligible indigenization or local manufacture of security products and security applications. The impact is obvious; Pakistani organizations buy and deploy packaged security tools and applications. The requirement for local research and development in the security technology space is minimal, resulting in almost non-existent local research programs, funding programs, and a specialized research and development (R&D)-driven intellectual capability of IT professionals. This also results in a shallow skill requirement in the local industry for information security professionals, and hence more specialized and scientific examination of information security issues and challenges is unlikely to take place as the surrounding and enabling ecosystem is entirely missing. This challenge is not only specific to information security, but also to IT and other technology domains in general as the industry nature is predominantly that of consumer and not of “manufacturer.”
However, the local industry does possess a satisfactory talent pool of professionals with mid-level expertise who have supplemented their credible local experience by passing the global information security certification programs led by ISACA(Previously known as the Information Systems Audit and Control Association, now goes by its acronym only), ISC2(Information System Security Certification Consortium, Inc.,) and EC-Council, to name a few. Since the IT auditors and information security professionals are required in a sufficient quantity in the country to manage and operate the organizational information security programs, the locally oriented skill set and experience is readily available to cater to the local industry demand. However, as stated earlier, the advanced experience, skill set and intellect is sorely missing.
Sector specific analysis
The financial sector in Pakistan is by far the most intensely regulated from an IT perspective as compared to other sectors such as telecoms, government, and enterprise.The State Bank of Pakistan (SBP) is also regionally perceived as a “strict regulator,” with a tight watch over the functions of financial institutions. In fact, there are four levels at which financial institutions are being monitored and regulated in the country.
Whereas the SBP drives and strictly monitors a tightly regulated regime for banks and financial institutions, the other sectors such as telecoms, government, and enterprise customers have minimal IT or information security regulation or monitoring. Although one of the reasons for this contrast is the respective nature of the industries (financial vs. non financial) resulting in different priorities, the near-absence of IT regulation in the non financial sectors is unfortunate. As a result, information security implementations and investments in the non financial sectors are driven by internal mandates and commitment which vary greatly from organization to organization.
The defense sector is an exception, however, and especially after the Snowden disclosures and other recent paradigm shifts away from traditional acceptance of western manufactured products, the defense and military institutions are investing more aggressively on security technology and IT research and indigenization efforts.
Are banks and financial institutions secured?
There are several factors to be taken into consideration while contemplating the specific answer. The first factor is exactly how secure are these banks and financial institutions in terms of the general strength and robustness of their internal information security programs? The answer to this question is unfortunately embarrassing. A simple technique of evaluating the strength and maturity of an organizational information security program is if they have a consistent and effective vulnerability assessment (VA) and penetration testing (PT) initiative. Is the organization taking vulnerability assessment (scanning with the help of tools for known software bugs and evaluating which software security patches are missing in IT infrastructure) and penetration testing (simulating an actual hacker attack by exploiting vulnerabilities in software) seriously and is there an allocated budget and quarterly management review of the PT/VA program? Unfortunately, less than 5 percent of organizations in Pakistan are following a disciplined PT/VA practice to detect external and internal vulnerabilities which can be exploited by actual attackers to gain unauthorized access (intrusions) into the IT data center.
The second factor is how much damage can a hacker do once he or she has broken into the organizational network and has access to internal systems and data. For the banking industry in Pakistan, our closed and restricted electronic payments ecosystem limits hackers to gain few benefits other than disruption of an IT service (bringing down an application by deleting server data) or defacement of a visible website. Interbank Fund Transfer (IBFT) and online banking has picked up momentum in Pakistan only in the last 5-7 years. Pakistan’s banking system also does not allow for international wire transfers through online banking. Credit cards uptake in the country is low and majority of the credit cards are not accepted online where a significant proportion of the fraud takes place. So hackers can easily break into Pakistan’s financial institutions, can steal data, or may choose to disrupt its IT systems. But what’s the fun in that? Hackers with criminal intent would rather direct their energies where the spoils are more lucrative such as western world electronic payment systems, where funds can be siphoned off with ease or credit card data can be stolen and placed on the hacker black market.
The third factor to consider is that as electronic payment mechanisms such as smartphone (mobile) payments, e-commerce, online banking, and online shopping become more common, how do we fare against security risks? Attackers would rather spend time and effort breaking into locations where information is stored holding some commercial value. Such information may be sold in the black market or used for extortion, such as black mailing the owner for funds while threatening to publically disclose the confidential information or data if the attacker is not paid. Since the number of users frequently accessing online banking is limited, there is a limited set of transactions that can be conducted via electronic banking, and Pakistan’s banking system regulations are fairly strict for KYC (know your customer), this is again an area where a hacker is faced by a small market with limited damage capability compared to the regional markets.So our banking system is protected interestingly not by its high level of security protection, but by its archaic capabilities which leads to low interest of hackers. Unfortunately, scant security survey data is available in Pakistan, however, as per global trends mobile device intrusions are not a preferred vector by attackers globally. According to Verizon’s Data Breach Investigations Report (DBIR) 2015 out of tens of millions of mobile devices, only 0.03 percent mobile devices were found to be infected with truly malicious exploits.
The fourth factor to consider while examining our original question: “Are banks and financial institutions secured?” is to compare the frequency of cybersecurity incidents and their impact in Pakistan from a regional and international perspective. Fortunately for Pakistan, most of the cybercrime and cyber incidents take place in the western world and developed markets such as USA, Europe, China, and Australia. However, it is pertinent to mention here that it is a well-known fact in (educated) IT circles that breaking into a computer system or network is a fairly simple task by a trained and experienced hacker.As per the Verizon’s DBIR 2015 in 60 percent of the cases, attackers are able to compromise an organization in minutes. We can thus safely conclude that breaking into a Pakistani financial institution’s IT network is also a matter of a few minutes by a skilled hacker. The more important question is what a hacker will do once the intrusion is successful given that you “can’t run away with any priceless valuables.”
At the same time, it is disturbing to note that phishing attacks are now more visible in Pakistan and are following a rising trajectory. As per Wikipedia, ‘phishing’ is an attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Such phishing attacks have occurred recently on the FBR website, as well as on a number of commercial banks, especially those not using two-factor authentications on their online banking portals. As per global trends, almost 50 percent of phishing attack victims open the phishing emails and click on the infected attachments within one hour.
Transformation through cloud, mobile, and social media frontiers
This brings us to an important area–-transformation taking place through proliferation of the Cloud, Mobile, and Social Media frontiers.
With the introduction and widespread use of these three technologies, our very way of working and living has completely transformed. The traditional organizational security perimeter established with the help of technology and security controls such as firewalls, network admission control (NAC), physical and logical access control, physical network ports (switch port security) are now largely ineffective with the use of the mobile device and bring-your-own-device (BYOD) trends. Moreover, an increasing number of organizations are allowing teleworking and access to internal applications for travelling or roaming workforce. This eliminates the traditional controls established around a known organizational boundary (the office building and everything within its facility) as the new workforce requires to be empowered through mobile devices, thus setting new challenges for information security implementation.
Although cloud adoption in Pakistan is still not at a mass scale, and the rate of adoption is relatively slower than regional economies, the hosting and co-location options offered by local telecoms and IT service providers at shared data center facilities are now impressive, offering a range of virtualization, cloud, and IT outsourcing options. The awareness related to cloud security implementation is still minimal and misunderstood in the country, even though nonprofit global organizations such as the Cloud Security Alliance have developed a tremendous and comprehensive framework for cloud security implementation.
Similarly, social media proliferation and usage on smartphone devices pose a new set of personal and organizational security challenges. The awareness component of these new challenges may be addressed by training social media users to configure safer security settings, however, the technology component of security challenges such as smartphone app features, data leakage and theft are far more complex and more difficult to address.
These new technology transformations thus pose a formidable set of challenges to the information security community in Pakistan. While the local workforce is now adept and experienced at auditing, assessing and remediating the traditional IT infrastructure housed in a data center, it is largely unprepared to take on the security challenges introduced by cloud, mobile, and social media proliferation. Neither do we witness any major or aggressive trend towards training or raising awareness of these transformational areas among the information security community.
Specialized information security domains
Establishing organizational structure for an information security team is a two-dimensional activity covering—functions, such as security operations or security governance and domain areassuchas systems security or network security.
Let’s take a look at the functional requirement first. Departmental units exist for security operations (handling the day-to-day security tools such as anti-virus software and its operations), security engineering (specialized domain areas such as network security, systems security, applications security, etc.,), security governance (policy and procedure development and managing the governance and management of information security), and the security assessment team (a team of security analysts and security auditors who will assess the security features of business applications to accredit the business application for security features before being introduced into the production environment).
Next, let’s take a look at the breadth of domain areas which need to be covered in a typical information security team. The information security practice encompasses more than 10 specialized domains or branches.
Each of the domains is a specialized branch of information security with specific technology, tools, techniques, and knowledge. In fact, technology is developing and changing at such a rapid pace that keeping fully abreast of the entire set of domains and their ongoing developments is a daunting task.
The complete palate of information security domains is thus both broad and deep and it is highly challenging for a security team to cover expert-level capabilities in all of these domains. A single information security professional may not possess in-depth knowledge of more than 2-3 domains (for example a security professional with 5-7 years’ experience may be a specialist in systems security with expert knowledge of Windows, Linux, and AIX environments, with additional but cosmetic domain knowledge of two more domains such as databases and networks).
Populating the respective security functions (first dimension) and the requisite set of security domain expertise (second dimension) within an information security team is a highly challenging proposition as we find a plentiful set of information security generalists, with specialists being a rare species. Deep domain expertise is generally hard to find in Pakistan, therefore, the typical information security team in an organization will hire lots of younger security professionals, and will attempt to train them in the specialized domain roles. The bad news is that after 2-3 years of training, grooming and developing talent, the resources are ready to migrate to the lucrative regional markets with an exponential increase in their compensation packages!
Add to that, the other limiting factors such as Pakistan being a small IT market, without enough room to accommodate or even appropriately compensate high caliber specialists as the security projects in the country are small and generally lack complexity. The result is a vicious circle in which highly specialized security talent (or other specialized IT talent for that matter) is neither available, nor will be retained by this market.
However, exceptions do exist and it would be sheer injustice not to mention that a select few centers of excellence for information security practice do exist in Pakistan. The key words here are “few” and “small.”
Information security process culture lacking too
A popular description of information security is that it has three foundations: people, process, and technology.
In fact, an effective information security practice is dependent almost entirely on the underlying discipline inherent in a process oriented culture. It is only when an organization halts its haphazard and ad hoc method of working and adopts a regulated process-oriented culture that it can embed security into the fabric of the organization. Security must be factored in at each stage of the software development life cycle (SDLC), within operations, and in each functional area of the organization.
It is here that security effectiveness and quality intersect; both outcomes require an underlying process culture to survive and thrive. Within an ad hoc and chaotic organizational culture the security outcomes will also be haphazard and unpredictable.
This raises an interesting question: “What percentage of Pakistani organizations have shed off their chaotic working style and adopted a disciplined process oriented culture into their corporate DNA?” For IT organizations, a relevant associated question is: “How many software development companies have adopted Capability Maturity Model Integration (CMMI)?” If the answer to these questions is disappointing, we may safely conclude that information security process culture implementation is also equally disappointing. The inevitable conclusion is that information security has not deeply entered into the fabric and DNA of Pakistani organizations and is only superficial and cosmetic in its adoption and implementation.
How are our software houses faring in information security implementation?
Pakistan has a growing IT industry with huge potential for software export due to low cost of IT business in Pakistan compared to the developed economies. The caliber those graduating with a computer science degree of the top universities in Pakistan such as NUST, FAST, LUMS, and GIKI is as good as any regional university. However, security training of these graduates is dismal. The top software houses in Pakistan employing hundreds or even thousands of staff are found focusing on software quality assurance (QA) testing which primarily ensures the software is bug and error free. However, the practice of information security within these software houses is driven by the customers. A similar paradigm to the ISO9000 certifications by the Sialkot sports industry. Where the overseas customers are particular in their compliance requirements for information security programs and capabilities by the offshore Pakistani development houses, the practice will be more mature. Other than this overseas customer-stipulated emphasis on security implementation to ensure the software is secure, the general trend in software houses in Pakistan is again disappointing.
It is also surprising how little emphasis our universities are placing on secure coding and secure–SDLC (software development lifecycle). But why be surprised? The lack of competence and emphasis on information security is a national dilemma!
The way forward
Information security is a vast and complex field and requires substantial resources to implement effectively. In organizations where information security is an afterthought, where budgets are constrained for IT itself (what will be left for information security?), and where process culture is absent, the implementation of information security will always be erratic and superficial, perhaps very aptly reflecting the wavering commitment of the management team that has initiated the information security function in the first place.
In the Pakistani industry, the information security function is by all means present, however, in order for the practice to gain traction and effectiveness, more management commitment needs to be demonstrated backed by a more realistic and practical resource provisioning within organizations (budgets).
Moreover, university programs training students as information security specialists need to closely liaise with the industry to expose students to real world security tools and challenges early on in their degree programs.
In order to make an effective overall quantum change in the quality, depth, and sophistication of information security practice in Pakistan, the surrounding and enabling ecosystem must be setup which will act as a catalyst to develop and strengthen the roots of information security practice in the country. For that to happen, indigenization, research programs, government funding, university-industry collaboration, development of professional information security associations, and training of information security professionals at a mass level through a credible national information security program must take place.
At its very roots, information security is a subject of “governance.” Given that we have appalling governance in our public sector, and an erratic trend of governance and process culture in our private sector (with a very few islands of excellence where processes or business excellence is part of the corporate DNA), the hope for a strong information security practice in Pakistan is bleak. The primary reason for this assessment based essentially on realism is our national priorities, lack of continuity of the national agenda, and the lack of government funded programs which can ensure that a professional practice can take deep roots in our organizations and our public institutions.
Nahil Mahmood is Chief Executive of Delta Tech, a leading Information Security and IT Consulting organization in Pakistan.He is current Chairman of Cybersecurity Association of Pakistan, and former founder and President of Cloud Security Alliance (Pakistan) and Open web Application Security Project (OWASP). Nahil is a frequent speaker and moderator at IT and Information Security events in Pakistan and in the region. He can be reached at: email@example.com.