Dubai, UAE, 20^th October 2003

“Four employees of Scanit left Belgacom to start Scanit. Such was the belief that Belgacom had in the new company that it made substantial investment into the company and then contracted its services. Upon completion of the contract Scanit partnered with Belgacom’s e-business arm to take the services to the rest of Europe,” he explained.

The new partnership, said Comtrust, has resulted in a unique combination of infrastructure and security solutions coupled with penetration testing and vulnerability assessment services designed to help organisations protect themselves from mounting Internet security threats. “The new venture between Comtrust and Scanit is about helping regional business help themselves,’ said Julfar. Comtrust will work with Scanit to offer regional customers a range of security auditing services including external and internal penetration testing, vulnerability testing, physical penetration testing and social engineering. The test findings will allow the two parties to better design security solutions, which fit the requirements of individual organisations. “From Comtrust’s point of view, we believe this new relationship will help us benchmark regional e-infrastructure security which can only benefit our customers,” said Julfar.

Scanit says Comtrust’s increasing regional presence will help it to reach an under serviced region. “With regards to the region as a whole, comprehensive security auditing services are hard to come by. Our relationship with Comtrust provides us the resources and reach to hit this market,” said Michaux. According to Comtrust, one message it is keen to voice to regional business is for them to take control of their IT security. “Security of online assets is of paramount importance, it should not be, under any circumstances, ignored. The idea is to engage partners to develop the best possible security system and it is certainly advisable to have this system independently tested,” said Julfar.

Scanit echoed these sentiments. “A company’s IT security is all that stands between it and the Internet and that means the world. Together Comtrust and Scanit can bring solutions that will provide optimal security for your assets,” said Michaux. With this in mind, the first priority said Michaux is to increase awareness of cyber threats within the region, what he revered to as creating controlled paranoia. “Thanks to the safe environment we enjoy here in the Middle East, security is not something that is often considered and this extends to the IT sphere. People think that because their PC is physically here in the Middle East they are some how safer from attack forgetting the fact that the Internet has no boundaries.

“Nothing could be further from the truth. If you are connected to the Internet you face the same level of threat regardless of whether you are in New York, London or Dubai,” explained Michaux. According to Comtrust and Scanit, less than 1% of organisations in the Middle East have carried out some sort of IT security audit. An alarming statistic said Scanit when considering over 20% of its customers had been hacked and were not even aware of the fact. “We had one banking client in Europe whose server had been hacked and was then being used to distribute cracked software on the Internet. This is the same server that was running their e-banking application,” said Michaux. Similar lapses are being found in organisations in the Middle East as well, pointed out Michaux, with some banks not having even installed a firewall.

“Again it goes back to this mentality that the Middle East is different from the rest of the world. Businesses think that all they have to do is spend exorbitant amounts of money on boxes with flashing lights and they are safe, but unless these systems are effectively integrated, secured and tested you might as well leave them in their packaging for all the good they are doing,” said Michaux. However, Comtrust said it was not all doom and gloom, that the region could take solace in the fact that it had the advantage of hindsight. “What regional businesses need to do to secure them selves has already been achieved in other parts of the world. We can quickly close the gap by ensuring we learn from the mistakes of others, avoiding the same pitfalls and traps, that we incorporate best practices,” argued Julfar. The services to be offered to the region by Comtrust and Scanit can be effectively divided into two categories. “We have our suite of penetration services. On average such a service takes two to three weeks. A company’s CEO will come to us and say I am company X, try and break into my system. We then take on the role of a hacker trying to find the fastest way into the company’s network,” said Michaux.

This is often called ethical hacking and while it quickly measures the current level of a company’s network security it only identifies it weakest point. “The other side of the coin is vulnerability assessments. In this case we go through a company’s entire IT network, workstation by workstation, with the intent of identifying all IT security vulnerabilities. We will then make recommendations to the company on how to best repair these points of weakness,” added Michaux. Scanit said that the time frame for a comprehensive vulnerability assessment is long citing Belgacom as a prime example. With a workforce of 28,000, the assessment took 18 months. “Once you have incorporated the recommended changes and they have passed further testing you systems are secure. All that is required then is periodic checks and if any new architecture is added to the network then that to needs to be secured,” said Michaux.

While the process is long it is necessary said Comtrust and a number of the Middle East’s biggest companies are starting to realise this. “A greater number of businesses in the region than ever before are leveraging the benefits of the Internet. However, with that comes risk and with security threats becoming more complex, and of a greater number, companies are starting to wake up to the fact that unless you neutralise these threats you put yourself in jeopardy. Nobody wants to be made aware of security inadequacies the hard way,” summed up Julfar.