Countdown To Secure
By Cat Yong
2011 was a big year security-wise for Malaysia. For reasons we shall not get into that shall forever remain ‘Anonymous’,a number of government websites were hacked and/or defaced even though the hacker group announced their nefarious intentions publicly. Despite ample warning time, nearly 200 government websites were affected. Could anything have been done to prevent it? And if yes, why wasn’t any action taken?
These are just the high-profile breaches that hit the headlines. Many, many more security intrusions and breaches remain behind the scenes or are never reported. The Malaysia Computer Emergency Response Team (MyCERT) arm of Cybersecurity Malaysia (CSM), broadly categorises the Internet security problems they help Malaysians individuals and companies mitigate, into malicious codes, denial of service (DOS), fraud, intrusion attempts, cyber harassment, spam, vulnerabilities reports and more.
More often than not, security incidents tend to be swept under the carpet, so any incident statistics that MyCERT has, are at best,just approximations of the real online threats situation in Malaysia.
CSM’s former vice president of Cybersecurity Response Services, Adli Abdul Wahid said, “The government is also looking at security from the perspective of “…if I have a million infected machines in Malaysia, that is bad news, because these machines could be used to attack another country and so on and so forth. It creates a mess.” Not to mention it tends to sour international relations.
However he added, “In Malaysia there is a lot of progress and one of the key things that we find is that there’s more partnerships among various parties – government, vendors, organisations – and everyone depends on one another for various reasons.”
Businesses are profit-oriented, so they need to be good at doing business, and they need to make sure that corporate assets, information assets are secure and available all the time. Governments have national interests: they want to make sure customers are happy and confident that whatever businesses are entrusted with will be safe, secure and not stolen.
Adli commented, “There is a lot of interaction and that is very good. Regulations and policies are normal, it is happening all over the world.” He also drew attention to a global trend where countries are sharing information with one another on how best to act so that the Internet remains resilient and a safe place to do a lot of things.
He concluded, “Sure, we are plagued by malware and cyber criminals and all that, but economies like Malaysia’s are shaping up and getting businesses to do the right thing. And also put in place other forms of law, so criminals can be brought to justice and penalties will be in place.”
Getting everyone to jump onboard
What is the best way to make sure everyone is on the same page? ISO 27001 or the Information Security Management System (ISMS) quality assurance standard is one such way and there is probably no area that needs it more than cyber security.
CSM, an agency under the Ministry of Science, Technology and Innovation (MOSTI) had pushed for the implementation of this standard and two years ago, it became mandated.
Now, CSM is tasked with ensuring Critical National Information Infrastructures (CNII) comply to it, via the regulators of the respective involved industries. CNII includes sectors like oil & gas, telecommunications, power and more, so local regulators like the Malaysian Communications and Multimedia Commission (MCMC), Bank Negara and more, have their roles to play, enforcing the ISO27001 standard in their respective industries.
There are over 11 sectors that have to be compliant with ISMS by February, 2013
Adli explained, “This standard gets everyone to relook security (in their organisations) and to look at it systematically: assess risk, exposure of the organisation to it, security issues and ways to mitigate it.”
The rationale behind ISMS ISO27001 is interesting and Adli added, “ISMS is one of the thing we pushed for so that we can have maturity when looking at these (security) matters and not just be reactive to threats, but beyond that.
“For example when an organisation can handle security maturely, they are free to share information with another organisation, because attacks are evolving… if the whole industry starts defending against the bad guys, one of the outcomes of this compliance is people start to talk to one another and treat threats seriously. “
Sadly, Adli observed that most organisations still have a lackadaisical attitude towards securing their businesses and ‘It-hasn’t-happened-to-me-so-why-should-I-spend-more-money?’ mentality.
But, what exactly is ISMS ISO27001? It is a standard that specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving on Information Security Management System. Conformance to the standard aims to offer assurance to customers and stakeholders that the organisation has a management system which ensures confidentiality, integrity and accessibility of its information.
Since last October, CSM themselves had been audited by SIRIM QAS and have been found to have security policies in place with strict implementation of ISMS that are satisfactory.
“Malaysian organisations need to be more vigilant about security,” said Adli.
UPDATE: Cybersecurity Malaysia’s corporate communications has announced that the ISMS is now under the jurisdiction of the National Security Council. At time of writing, EITN is still awaiting comment and further clarification from NSC about their roles, duties and confirmation of the ISMS deadline, although it is believed this deadline could be March 2013.
You must be logged in to post a comment.
There are no comments
Add yours