Cybersecurity for disruptive technologies

Majid Malaika (Chief Advisor to H.E. The Vice Governor of the Saudi Central Bank), an alumnus of the King AbdulAziz University, has extensive experience in software development and cybersecurity.

Now playing a pivotal role in digital transformation and security at the Saudi Central Bank (SAMA), he has a focus on policy and cybersecurity for disruptive technologies – including distributed ledger tech, digital assets, smart contracts, and DeFi.

We asked Malaika for a glimpse into his world ahead of Black Hat MEA 2023. Here’s what he told us.

Could you share your career journey so far?

“Oh, where should I start? When I had my first computer, an Intel 486, was a piece of art – I couldn’t play certain games due to some computer limitation. With school friends we figured out a way to trick the computer to think it had the appropriate configurations through manipulating the config sys and autoexec files. This enabled us to play these games for some time – at least until the computer crashed obviously due to the actual limitations.

“Now, the idea of making things work differently than what they were intended for was so intriguing to me – this was the seed that started me questioning how things run and how they can be manipulated, which is easier than you think in most cases. Eventually this got me in trouble a few times in school then during university; but great mentors channelled this energy to do good rather than bad, and I’m forever grateful to them.

“Fast forward, after earning my Doctor of Engineering degree from SMU, Dallas Texas, I joined Cigital (acquired by Synopsys), a consultancy company in 2011 as an associate consultant. There, I worked for multinational financial firms in New York in the US, and moved quickly to work on critical infrastructure – conducting threat modelling and architecture risk analysis for critical systems and applications. A truly priceless experience with many jaw dropping moments.

“I followed this by joining a leading educational technology company called Amplify where I worked on niche technologies and approaches like Cloud, Containers, DevOps, and Agile in software development. This too was a steep learning experience, especially modern software development approaches that were not initially understood and security didn’t integrate well with the process. During this period, I participated in many bug bounties on the side, and found a number of vulnerabilities. The most interesting vulnerability was within Coinbase, one of the largest Virtual Asset exchange markets globally where I was rewarded 5 Bitcoins (back then it was roughly worth a total of $400).

“In 2015 I joined the International Monetary Fund (IMF) and built the Application Security practice from the ground up. I then led the Digital Transformation and Cybersecurity Risk within the Digital Advisory Unit in the IT Department. My focus was to enable the IMF and its member countries to experiment and research emerging technologies/solutions such as blockchain/DLT, smart contract, DeFi, big data, machine learning, artificial intelligence, open banking, digital assets, and their impact on the IMF’s Technical Assistance missions, and the growth and stability of the Fund’s member countries.

“Over the years, I have worked with elite researchers on various research topics such as blockchain and smart contract security. One study was demonstrating a method to abuse smart contracts on the Ethereum platform, to run a command-and-control (C2) BotNet network. Another topic was enhancing the security of smart contracts against cyber and fraud attacks, this is currently a pending patent with the United States Patent and Trademark Office.

“In 2022 I left the IMF on leave-of-absence, to join the Saudi Central Bank as an Advisor to His Excellency the Governor and then His Excellency the Vice Governor for Supervision and Technology. My current focus is on digital transformation and risk management for the Central Bank, as well as the Kingdom’s financial sector – especially when dealing with new technologies and disruptive solutions.”

What are the challenges you face when you lead cybersecurity for disruptive digital technologies?

“Two things come to mind. First, the industry's knowledge gap and understanding of these disruptive technologies and their reach and impact. Especially with identifying risks and developing mitigation schemes.

“For example, if you open a new piece of software’s Common Vulnerabilities and Exposures (CVE) page or website, in most cases you will find very minimal reported vulnerabilities. Now look for a more mature piece of software and you will find in most cases a much longer list, for the popular ones at least (I usually show a newly established ledger/blockchain in comparison to a more mature one).

“The challenge with this is that new technologies in the past were mostly run internally in data centres with minimal attack surfaces. This, by laws of access, reduced attacks by minimising the attack surface. Fast forward to today, these technologies, in a very short period of time, are now running critical business use-cases with much larger attack surface with online access and cloud deployment. This by itself is a challenge and requires good risk assessment and careful attention to detail.

“The second challenge that comes to mind is the difficulty in assessing the risk for systems leveraging (or integrating with) disruptive technologies. This challenge stems from the fact that to assess risk of any system or technology, a full understanding of the technology’s architecture, aspects of operation, and integration etc. must be present by the assessing team – which is usually not the case with new disruptive technologies, especially in the early days of inception.”

Are there any types of cyber threat you're seeing a lot of at the moment? And could you elaborate on the causes?

“I believe attacks against the application layer will be on the top of the list for quite some time; however, if we take a deeper look, broken or weak authentication and authorisation schemes are among the top causes, and for good reasons.

“Authentication is usually among the first line of defences for a system, especially if you’re on the Internet. This makes it susceptible to analysis and probing 24/7 and by anyone with a connection. Add to this, the complexities of multi-factor and SSO handshakes and integrations, you can imagine mistakes can happen easily during the development and implementation phases.

“Now for authorisation, this one gets complicated during development very quickly, and from my code-review and penetration testing years I can say that authorisation components I looked at (especially the ones I had access to the source-code) were almost always containing weaknesses, or were simply broken. This puts more emphasis on the assurance activities along the development lifecycle whether it is a waterfall or even agile or anything in between.”

Why are events like Black Hat MEA valuable to you?

“During my studies in the United States, I dreamt of attending Black Hat and similar hacking events. However, I couldn’t afford it until I was accepted in King Abdullah’s scholarship – and also after finding out that Black Hat had a special student rate which was much cheaper.

“Attending security conferences was truly an eye opener. I saw hackers hacking control systems, windmills, ATMs, and breaking encryption through different schemes. This helped me realise that application security is what I wanted to specialise in, and the rest is history. This influenced my doctoral research to focus on equipping applications and systems with resilience mechanisms against cyber attacks.

“Now continuing to attend Black Hat and other hacking and security conferences is essential for anyone in the field to keep abreast of the latest methods and schemes in security (attacking and defending), and always incorporating the knowledge in our daily fight against real hackers and adversaries.”

Thanks to Majid Malaika at SAMA. Join us at Black Hat MEA 2023 to learn more.