This article will not contain any technical information and will focus only on our observations for a couple of incidents that we faced or heard of during our work. We may talk about Information Security in some places in this articles, this is intended and not a misconception.
First, let's quote something that Paul Roberts once said in his book "Guide to Project Management":
Many businesses do not change when they need to, nor do they change when they have to. If they did, many fewer would fail. But, like people, they only change when they want to.
We believe that Paul was right! And we will try to point out to things that MUST be changed in order to avoid getting PWNED.
If a change in the way an organization achieves a secure system is to be considered, it should be seen as a culture change, involving adjustments in mindset, values, and behavior.
Keep in mind that security is not a software or a person it is a goal that you have to work towards as long as your business is running!
The items in this list may apply to private or public sectors or both!
With the available content and tools, it doesn't require to be a child prodigy to attack an organization by typing their IP address in a tool. Also, a mid-advanced level hacker can cause a lot of troubles due to the lack of the implemented protection that we will discuss next.
Most of them know that they will run away with what they did because there is no special force to track them down or arrest them. Due to that, the eCrime department is still armature with less training, resources, and talents.
Believe it or not, some individuals who call themselves "Ethical Hackers" and some people who work in the eCrime department are involved in cyber-attacks!
When it comes to corruption Iraq is on top of the most corrupted countries in the world based on Transparency International's index, Iraq is ranked the third, which is not surprising for someone who lives here. Corruption is an issue that touches every aspect of our lives and security is one of them.
Corruption in this article refers to:
There is no cleartext of the eCrime in Iraq's law. That prevents the improvement since nobody wants to do an extra job unless he/she will be asked legally to do it. If the government ships a law that forces companies to standards this may cause a slight improvement. However, without having the tools and the human resources this will not come true at the moment.
Companies also do not seem to care since most of them don't have signed NDA's for their employees. You may sit with someone who works in a company or government and throwing classified information in a café!
Last year, the Iraq government suffered from a cyber-attack that was led by a hacker called "M4x Pr0". He/she was able to hijack the .iq DNS and redirected all the traffic to his defacement page.
His attacks were continued for more than a month and no one detected them. There are other stories that we can not share for professional reasons but all of them include the lack of incident response planning and lack of monitoring.
let us tell you two stories. One involves the CEO of one of the biggest e-payment startups here in Iraq, the other a well-known telecommunication company.
Once we had an interview for an e-payment startup, the CEO asked us to find security issues to validate our skills. Unfortunately, we bought it and start looking for security issues in the system, we found some and told the CTO about them and he was convinced that these are security issues. But, the surprise that the CEO was upset because we told him previously that he was late for the meeting and that hurt his pride. So, he told the CTO that these are not security issues! The problem is that the CEO is a non-technical guy who thinks OS is built on HTML. The conclusion of the story is that the CEO was not concerned about the users' privacy more than his fake pride.
You can find the other story here:
Writing about an issue without a solution is futile. The goal itself in the current environment seems impossible to achieve with the obstacles that we mentioned. Making progress, albeit rather slowly is better than the ostrich attitude. Let's talk about a few points that help the reader to get something useful out of the article:
Do not get dubious when it comes to security. Believe that people are angels with halos and harps will not protect your business from cyber-attacks. Security merits all the money that you will spend and will make perilous cyber a safer place for users.
If you think your site, app, and network are secure and want to make sure about that then
give us a call firstname.lastname@example.org