The lessons from the massive cyber attack that befell US IT management solutions provider SolarWinds continue to reverberate more than two years after it happened, continuing to serve as a warning that organisations need to remain vigilant amid an increase in global hacking campaigns.
The reality, however, is that future supply-chain attacks cannot be stopped because there is no way to tell if and when an organisation has been or would be breached until it may be too late, just as in SolarWinds' case, said Peter Firstbrook, a research vice president at Gartner.
"Nobody's going to convince me that there's a checklist or something you could've done before the SolarWinds attack that would've prevented your organisation from buying the SolarWinds product and installing it in your network," Mr Firstbrook said at the research firm's Security and Risk Management Summit on Monday.
"There really isn't a good example of making one think, 'you know what, these guys may be infected in the future, therefore, I think, we shouldn't buy this very powerful and very useful utility and put it in our network'. The security person who said that would get laughed at in the room."
A supply-chain attack uses a supplier to attack downstream customers; a company could become a victim where its customers are being impacted, or another organisation upstream could be infected and they infiltrate your organisation.
SolarWinds was among a number of companies breached in the widescale cyber attack that came to light in December 2020 after going undetected for a year. The hacking continues to reverberate today, with the growing threat of similar supply-chain attacks expected to increase further.
Considered one of the worst cyber espionage cases in history, the attackers exploited software credentials from SolarWinds and other US companies, including Microsoft and VMware, and used them to infiltrate several American federal departments, while also affecting global organisations such as the UK government, the European Parliament and Nato.
Nobody's going to convince me that there's a checklist or something you could've done before the SolarWinds attack that would've prevented your organisation from buying the SolarWinds product and installing it in your network
Peter Firstbrook,
research vice president at Gartner
Tim Brown, the chief information security officer of Texas-based SolarWinds, told The National last October that the company recovered well in the aftermath of the cyber attack and said its experience should serve as a warning to other companies.
Mr Firstbrook said due diligence should be done, but the ability to spot that potential breach implant is extremely low.
"You should be prepared to respond. Nation state attacks show where the market and adversaries are going: whatever nation states do this year, you can assume that the ransomware authors will be doing next year."
He discussed a number of key points that organisations need to keep in mind and put in place that can help mitigate — if not totally prevent — cyber breaches.
Always 'assume breach'
Having the mindset of "assume breach" — a concept that assumes an attack will happen or has happened — is the only valid approach to cyber security, Mr Firstbrook said.
In the SolarWinds debacle, hackers were in very sophisticated organisations such as FireEye, Mimecast and Microsoft for up to nine months and these companies had no idea.
"We always have to assume that there’s something going on and we haven’t found it yet, [just like the] concept of zero trust, wherein you trust nobody until they verify who they are," he said.
You can't just buy 'security'
Having the most popular and most expensive security tools are never enough to safeguard your infrastructure; policy, procedure and smart operators are critically important to implement an effective security programme. FireEye was the first to publicly announce the SolarWinds breach after one smart operator used multi-factor authentication to try and verify suspicious activity.
"Despite all of the tools they had, the one thing that caught the infection and started the clean-up operation was a smart operator who was following organisational procedures," Mr Firstbrook said.
Identity and access management system is clearly a rich target
Attackers today are increasingly using stolen credentials to game the credential system in order to move laterally with impunity — and they look authentic, escaping detection.
Mr Firstbrook said while most organisations do think of their identity infrastructure and spend huge amounts on it, they tend to overlook those who are able to access it.
"Most are focused on letting the good guys in, but very few focus on how to secure this 'Tower of Babel' infrastructure. Once data has piled up over the years, how do you know who's who?"
APIs, often ignored, are now bigger targets
There is a so-called perimeter within IT infrastructure that must be defended, and today identity is the new perimeter, treated the same way as firewalls were before.
However, the other perimeter organisations are missing is that identity isn’t just about people — it’s also about devices and things as machine identity becomes more important.
In the SolarWinds breach, attackers found they gained access to a security provider’s environment, which had access to the Microsoft Office 365 environment. They got the keys for that vendor’s application programme interface and used that to attack their customers’ environments.
"Every application is a collection of APIs [Application Programming Interface], and yet in most organisations I ask who’s in charge of API security, there are blank stares around the table," Mr Firstbrook said, pointing out the lack of accountability in machine identity.
Configuration is as important as quality
A lot of organisations may have a broad portfolio of best-in-breed security tools, but if the people who installed those tools aren't there, the new ones manning the system may not know what has been done that could potentially compromise the infrastructure.
Mr Firstbrook recommends that configuring and tuning systems must be done at least annually to ensure system credibility.
However, "the best authority for configuration and guidance are the vendor themselves; work with them to make sure systems function as expected", he said.
Privileged servers must be profiled
Privileged servers — those which grant special access to certain users — are perfect targets for attacks, they can potentially be exploited for uses other than legitimate purposes.
Mr Firstbrook said administrators should know what these privileged users are going to do with the information accessed and how they behave while accessing them.
"There are tools that can profile these servers, assign some parameters on how it behaves and find out why they do things they're not supposed to do. If there is any anomaly, an alert can be triggered."
The Settlers
Director: Louis Theroux
Starring: Daniella Weiss, Ari Abramowitz
Rating: 5/5
Infiniti QX80 specs
Engine: twin-turbocharged 3.5-liter V6
Power: 450hp
Torque: 700Nm
Price: From Dh450,000, Autograph model from Dh510,000
Available: Now
Cry Macho
Director: Clint Eastwood
Stars: Clint Eastwood, Dwight Yoakam
Rating:**
LA LIGA FIXTURES
Thursday (All UAE kick-off times)
Sevilla v Real Betis (midnight)
Friday
Granada v Real Betis (9.30pm)
Valencia v Levante (midnight)
Saturday
Espanyol v Alaves (4pm)
Celta Vigo v Villarreal (7pm)
Leganes v Real Valladolid (9.30pm)
Mallorca v Barcelona (midnight)
Sunday
Atletic Bilbao v Atletico Madrid (4pm)
Real Madrid v Eibar (9.30pm)
Real Sociedad v Osasuna (midnight)
AndhaDhun
Director: Sriram Raghavan
Producer: Matchbox Pictures, Viacom18
Cast: Ayushmann Khurrana, Tabu, Radhika Apte, Anil Dhawan
Rating: 3.5/5
Cultural fiesta
What: The Al Burda Festival
When: November 14 (from 10am)
Where: Warehouse421, Abu Dhabi
The Al Burda Festival is a celebration of Islamic art and culture, featuring talks, performances and exhibitions. Organised by the Ministry of Culture and Knowledge Development, this one-day event opens with a session on the future of Islamic art. With this in mind, it is followed by a number of workshops and “masterclass” sessions in everything from calligraphy and typography to geometry and the origins of Islamic design. There will also be discussions on subjects including ‘Who is the Audience for Islamic Art?’ and ‘New Markets for Islamic Design.’ A live performance from Kuwaiti guitarist Yousif Yaseen should be one of the highlights of the day.
The President's Cake
Director: Hasan Hadi
Starring: Baneen Ahmad Nayyef, Waheed Thabet Khreibat, Sajad Mohamad Qasem
Rating: 4/5
UAE v Gibraltar
What: International friendly
When: 7pm kick off
Where: Rugby Park, Dubai Sports City
Admission: Free
Online: The match will be broadcast live on Dubai Exiles’ Facebook page
UAE squad: Lucas Waddington (Dubai Exiles), Gio Fourie (Exiles), Craig Nutt (Abu Dhabi Harlequins), Phil Brady (Harlequins), Daniel Perry (Dubai Hurricanes), Esekaia Dranibota (Harlequins), Matt Mills (Exiles), Jaen Botes (Exiles), Kristian Stinson (Exiles), Murray Reason (Abu Dhabi Saracens), Dave Knight (Hurricanes), Ross Samson (Jebel Ali Dragons), DuRandt Gerber (Exiles), Saki Naisau (Dragons), Andrew Powell (Hurricanes), Emosi Vacanau (Harlequins), Niko Volavola (Dragons), Matt Richards (Dragons), Luke Stevenson (Harlequins), Josh Ives (Dubai Sports City Eagles), Sean Stevens (Saracens), Thinus Steyn (Exiles)
Jigra
Starring: Alia Bhatt, Vedang Raina, Manoj Pahwa, Harsh Singh
UAE currency: the story behind the money in your pockets
Mercer, the investment consulting arm of US services company Marsh & McLennan, expects its wealth division to at least double its assets under management (AUM) in the Middle East as wealth in the region continues to grow despite economic headwinds, a company official said.
Mercer Wealth, which globally has $160 billion in AUM, plans to boost its AUM in the region to $2-$3bn in the next 2-3 years from the present $1bn, said Yasir AbuShaban, a Dubai-based principal with Mercer Wealth.
“Within the next two to three years, we are looking at reaching $2 to $3 billion as a conservative estimate and we do see an opportunity to do so,” said Mr AbuShaban.
Mercer does not directly make investments, but allocates clients’ money they have discretion to, to professional asset managers. They also provide advice to clients.
“We have buying power. We can negotiate on their (client’s) behalf with asset managers to provide them lower fees than they otherwise would have to get on their own,” he added.
Mercer Wealth’s clients include sovereign wealth funds, family offices, and insurance companies among others.
From its office in Dubai, Mercer also looks after Africa, India and Turkey, where they also see opportunity for growth.
Wealth creation in Middle East and Africa (MEA) grew 8.5 per cent to $8.1 trillion last year from $7.5tn in 2015, higher than last year’s global average of 6 per cent and the second-highest growth in a region after Asia-Pacific which grew 9.9 per cent, according to consultancy Boston Consulting Group (BCG). In the region, where wealth grew just 1.9 per cent in 2015 compared with 2014, a pickup in oil prices has helped in wealth generation.
BCG is forecasting MEA wealth will rise to $12tn by 2021, growing at an annual average of 8 per cent.
Drivers of wealth generation in the region will be split evenly between new wealth creation and growth of performance of existing assets, according to BCG.
Another general trend in the region is clients’ looking for a comprehensive approach to investing, according to Mr AbuShaban.
“Institutional investors or some of the families are seeing a slowdown in the available capital they have to invest and in that sense they are looking at optimizing the way they manage their portfolios and making sure they are not investing haphazardly and different parts of their investment are working together,” said Mr AbuShaban.
Some clients also have a higher appetite for risk, given the low interest-rate environment that does not provide enough yield for some institutional investors. These clients are keen to invest in illiquid assets, such as private equity and infrastructure.
“What we have seen is a desire for higher returns in what has been a low-return environment specifically in various fixed income or bonds,” he said.
“In this environment, we have seen a de facto increase in the risk that clients are taking in things like illiquid investments, private equity investments, infrastructure and private debt, those kind of investments were higher illiquidity results in incrementally higher returns.”
The Abu Dhabi Investment Authority, one of the largest sovereign wealth funds, said in its 2016 report that has gradually increased its exposure in direct private equity and private credit transactions, mainly in Asian markets and especially in China and India. The authority’s private equity department focused on structured equities owing to “their defensive characteristics.”
ANDROID%20VERSION%20NAMES%2C%20IN%20ORDER
%3Cp%3EAndroid%20Alpha%3C%2Fp%3E%0A%3Cp%3EAndroid%20Beta%3C%2Fp%3E%0A%3Cp%3EAndroid%20Cupcake%3C%2Fp%3E%0A%3Cp%3EAndroid%20Donut%3C%2Fp%3E%0A%3Cp%3EAndroid%20Eclair%3C%2Fp%3E%0A%3Cp%3EAndroid%20Froyo%3C%2Fp%3E%0A%3Cp%3EAndroid%20Gingerbread%3C%2Fp%3E%0A%3Cp%3EAndroid%20Honeycomb%3C%2Fp%3E%0A%3Cp%3EAndroid%20Ice%20Cream%20Sandwich%3C%2Fp%3E%0A%3Cp%3EAndroid%20Jelly%20Bean%3C%2Fp%3E%0A%3Cp%3EAndroid%20KitKat%3C%2Fp%3E%0A%3Cp%3EAndroid%20Lollipop%3C%2Fp%3E%0A%3Cp%3EAndroid%20Marshmallow%3C%2Fp%3E%0A%3Cp%3EAndroid%20Nougat%3C%2Fp%3E%0A%3Cp%3EAndroid%20Oreo%3C%2Fp%3E%0A%3Cp%3EAndroid%20Pie%3C%2Fp%3E%0A%3Cp%3EAndroid%2010%20(Quince%20Tart*)%3C%2Fp%3E%0A%3Cp%3EAndroid%2011%20(Red%20Velvet%20Cake*)%3C%2Fp%3E%0A%3Cp%3EAndroid%2012%20(Snow%20Cone*)%3C%2Fp%3E%0A%3Cp%3EAndroid%2013%20(Tiramisu*)%3C%2Fp%3E%0A%3Cp%3EAndroid%2014%20(Upside%20Down%20Cake*)%3C%2Fp%3E%0A%3Cp%3EAndroid%2015%20(Vanilla%20Ice%20Cream*)%3C%2Fp%3E%0A%3Cp%3E%3Cem%3E*%20internal%20codenames%3C%2Fem%3E%3C%2Fp%3E%0A
Company%C2%A0profile
%3Cp%3E%3Cstrong%3ECompany%20name%3A%20%3C%2Fstrong%3ETuhoon%0D%3Cbr%3E%3Cstrong%3EYear%20started%3A%20%3C%2Fstrong%3EJune%202021%0D%3Cbr%3E%3Cstrong%3ECo-founders%3A%20%3C%2Fstrong%3EFares%20Ghandour%2C%20Dr%20Naif%20Almutawa%2C%20Aymane%20Sennoussi%0D%3Cbr%3E%3Cstrong%3EBased%3A%20%3C%2Fstrong%3ERiyadh%0D%3Cbr%3E%3Cstrong%3ESector%3A%20%3C%2Fstrong%3Ehealth%20care%0D%3Cbr%3E%3Cstrong%3ESize%3A%20%3C%2Fstrong%3E15%20employees%2C%20%24250%2C000%20in%20revenue%0D%3Cbr%3EI%3Cstrong%3Envestment%20stage%3A%20s%3C%2Fstrong%3Eeed%0D%3Cbr%3E%3Cstrong%3EInvestors%3A%20%3C%2Fstrong%3EWamda%20Capital%2C%20Nuwa%20Capital%2C%20angel%20investors%3C%2Fp%3E%0A
European arms
Known EU weapons transfers to Ukraine since the war began: Germany 1,000 anti-tank weapons and 500 Stinger surface-to-air missiles. Luxembourg 100 NLAW anti-tank weapons, jeeps and 15 military tents as well as air transport capacity. Belgium 2,000 machine guns, 3,800 tons of fuel. Netherlands 200 Stinger missiles. Poland 100 mortars, 8 drones, Javelin anti-tank weapons, Grot assault rifles, munitions. Slovakia 12,000 pieces of artillery ammunition, 10 million litres of fuel, 2.4 million litres of aviation fuel and 2 Bozena de-mining systems. Estonia Javelin anti-tank weapons. Latvia Stinger surface to air missiles. Czech Republic machine guns, assault rifles, other light weapons and ammunition worth $8.57 million.
Timeline
2012-2015
The company offers payments/bribes to win key contracts in the Middle East
May 2017
The UK SFO officially opens investigation into Petrofac’s use of agents, corruption, and potential bribery to secure contracts
September 2021
Petrofac pleads guilty to seven counts of failing to prevent bribery under the UK Bribery Act
October 2021
Court fines Petrofac £77 million for bribery. Former executive receives a two-year suspended sentence
December 2024
Petrofac enters into comprehensive restructuring to strengthen the financial position of the group
May 2025
The High Court of England and Wales approves the company’s restructuring plan
July 2025
The Court of Appeal issues a judgment challenging parts of the restructuring plan
August 2025
Petrofac issues a business update to execute the restructuring and confirms it will appeal the Court of Appeal decision
October 2025
Petrofac loses a major TenneT offshore wind contract worth €13 billion. Holding company files for administration in the UK. Petrofac delisted from the London Stock Exchange
November 2025
180 Petrofac employees laid off in the UAE
Kandahar%20
%3Cp%3E%3Cstrong%3EDirector%3A%3C%2Fstrong%3E%20Ric%20Roman%20Waugh%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EStars%3A%C2%A0%3C%2Fstrong%3EGerard%20Butler%2C%20Navid%20Negahban%2C%20Ali%20Fazal%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ERating%3A%3C%2Fstrong%3E%202.5%2F5%3C%2Fp%3E%0A
The alternatives
• Founded in 2014, Telr is a payment aggregator and gateway with an office in Silicon Oasis. It’s e-commerce entry plan costs Dh349 monthly (plus VAT). QR codes direct customers to an online payment page and merchants can generate payments through messaging apps.
• Business Bay’s Pallapay claims 40,000-plus active merchants who can invoice customers and receive payment by card. Fees range from 1.99 per cent plus Dh1 per transaction depending on payment method and location, such as online or via UAE mobile.
• Tap started in May 2013 in Kuwait, allowing Middle East businesses to bill, accept, receive and make payments online “easier, faster and smoother” via goSell and goCollect. It supports more than 10,000 merchants. Monthly fees range from US$65-100, plus card charges of 2.75-3.75 per cent and Dh1.2 per sale.
• 2checkout’s “all-in-one payment gateway and merchant account” accepts payments in 200-plus markets for 2.4-3.9 per cent, plus a Dh1.2-Dh1.8 currency conversion charge. The US provider processes online shop and mobile transactions and has 17,000-plus active digital commerce users.
• PayPal is probably the best-known online goods payment method - usually used for eBay purchases - but can be used to receive funds, providing everyone’s signed up. Costs from 2.9 per cent plus Dh1.2 per transaction.
'Jurassic%20World%20Dominion'
%3Cp%3EDirector%3A%20Colin%20Trevorrow%3C%2Fp%3E%0A%3Cp%3EStars%3A%20Sam%20Neill%2C%20Laura%20Dern%2C%20Jeff%20Goldblum%2C%20Bryce%20Dallas%20Howard%2C%20Chris%20Pratt%3C%2Fp%3E%0A%3Cp%3ERating%3A%204%2F5%3C%2Fp%3E%0A
Final scores
18 under: Tyrrell Hatton (ENG)
- 14: Jason Scrivener (AUS)
-13: Rory McIlroy (NIR)
-12: Rafa Cabrera Bello (ESP)
-11: David Lipsky (USA), Marc Warren (SCO)
-10: Tommy Fleetwood (ENG), Chris Paisley (ENG), Matt Wallace (ENG), Fabrizio Zanotti (PAR)
