Malaysia's National Cyber Security Policy

Copyright © 2013 CyberSecurity Malaysia

MALAYSIA’S NATIONAL CYBER SECURITY POLICY An Integrated Approach For Cyber Security And Critical Information Infrastructure Protection

10 September 2013 Bandung, Indonesia

MOHD SHAMIR B HASHIM Vice President Government and Multilateral Engagement


§  Critical infrastructures are increasingly dependent on information and communication. §  The potential natural disasters or terrorist attacks, which threaten the critical infrastructure and critical

information infrastructure as well, are dramatically increasing today. §  Risks to the CIIs include man-made attacks, natural disasters and technical failures. §  The high dependence on CNIIs, their cross-border interconnectedness and interdependencies with

other infrastructures, as well as the vulnerabilities and threats they face raise the need to address their security and resilience in a systematic perspective as the frontline of defense against failures and attacks.

Cyber Threats CRITICAL INFORMATION INFRASTRUCTURES

POWER GENERATION

SERVICES

DISTRIBUTION

Interdependencies The high degree of

interdependency between the critical infrastructure sectors means failures in one sector can propagate into others.

2


Cyber Content Related Threats Technology Related Threats

Hack Threat

Fraud

Denial of Service Attack

Intrusion

Malicious Code

Harassment

Threats to National Security

Sedition / Defamation

Online Porn

Hate Speech

3

Cyber Threats CLASIFICATIONS

Copyright © 2013 CyberSecurity Malaysia 4

2005

National Cyber Security Policy formulated by MOSTI

NCSP Adoption and Implementation 20

06

CyberSecurity Malaysia launched by

Prime Minister of Malaysia on 20 Aug 2007

2007

The policy recognises the critical and highly interdependent nature of the CNII and aims to develop and establish a comprehensive programme and a series of frameworks that will ensure

the effectiveness of cyber security controls over vital assets

NCSP Objectives

Address The Risks To The Critical National

Information Infrastructure

Ensure That Critical Infrastructure Are

Protected To A Level That Is

Commensurate With The Risks

Develop And Establish A

Comprehensive Program And A

Series Of Frameworks

Cyber Security Governance NATIONAL CYBER SECURITY POLICY

4


VISION ‘Malaysia's Critical National Information Infrastructure shall be secure, resilient and

self-reliant. Infused with a culture of security, it will promote stability, social well being and wealth creation’

5

DEFENCE & SECURITY • Ministry of Defense, Military • Ministry of Home Affairs, Police

TRANSPORTATION • Ministry of Transport

BANKING & FINANCE • Ministry of Finance • Central Bank • Securities Commission

HEALTH SERVICES • Ministry of Health

EMERGENCY SERVICES Ministry of Housing & Local Municipality

CRITICAL NATIONAL INFORMATION INFRASTRUCTURE

Assets (real & virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on • National Defense & Security

• National Economic Strength

• National Image • Government capability to function

• Public Health & Safety

ENERGY • Energy Commission

INFORMATION & COMMUNICATIONS • Ministry of Communications & Multimedia

GOVERNMENT • Malaysia Administrative, Modernisation and Management Planning Unit

FOOD & AGRICULTURE • Ministry of Agriculture

WATER • National Water Service Commission

National Cyber Security Policy CNII SECTORS


•  Effective Governance National Security Council

•  Legislation & Regulatory Framework Attorney General’s Office

•  Cyber Security Technology Framework Ministry of Science,

Technology and Innovation

•  Culture of Security and Capacity Building

Ministry of Science, Technology and

Innovation

•  Research & Development Towards Self Reliance


Innovation

•  Compliance & Enforcement Ministry of Information,

Communications & Culture

•  Cyber Security Emergency Readiness National Security Council

•  International Collaboration Ministry of Information,


1 2345678

6

National Cyber Security Policy POLICY THRUST








Innovation



Innovation






1 2345678

7



CyberSecurity Malaysia (www.cybersecurity.my) A NATIONAL CYBER SECURITY SPECIALIST AGENCY UNDER THE MINISTRY OF SCIENCE, TECHNOLOGY AND INNOVATION (www.mosti.gov.my).

Pt 1: Effective Governance CYBERSECURITY MALAYSIA

Ministerial Function Act1969, Amendment 2009

Provides specialised ICT security services and continuously identifies

possible areas that may be detrimental to national security

Cabinet Notes 2005 Ministry of Finance and Ministry of Science, Technology & Innovation

CyberSecurity Malaysia as a National Body to monitor aspects of the National e-

Security

VISION To be a globally recognised National

Cyber Security Reference and Specialist Centre by 2020

MISSION Creating and Sustaining a Safer Cyberspace to Promote National

Sustainability, Social Well-Being and Wealth Creation

8

Establishment of a national info security coordination

centre


STRATEGY ENGAGEMENT &

RESEARCH

INFO SECURITY PROFESSIONAL

DEVELOPMENT & OUTREACH

SECURITY QUALITY MANAGEMENT

SERVICES

CYBER SECURITY EMERGENCY

SERVICES

Digital Forensics

Security Management & Best

Practices Info Security Professional Development

Outreach

Strategy Engagement

Research

Information Security Certification Body

CyberSecurity Malaysia CORE FUNCTIONS / SERVICES

Security Assurance

Security Incident Handling

9


National Security Council Chair : Y.A.B. Prime Minister Secretariat: NSC

E-Sovereignty Working Group Chair : Under Secretary of NSC

National Cyber

Security Coordination Committee

Chair : NSC Secretariat : NSC

Government Communication

Strategy Enhancement

Committee

Chair : PMO Secreatriat : BHEUU

National Cyber Crisis Coordination Committee

Chair : PMO

Secretariat : NSC

Cyber Law Committee

Chair : AGC Secretariat : AGC

National Acculturation

& Capacity Building

Committee

Chair : MOSTI Secretariat :

MOSTI

MICC compliance & Enforcement Committee

Chair : MICC Secretariat :

MICC

E-Sovereignty Committee Chair : Y.A.B. Deputy Prime Minister Secretariat: NSC

National IT Council (NITC) Chair : Y.A.B. Prime Minister Secretariat: MOSTI

POLICY CONTENT CRISIS MANAGEMENT LEGISLATION ACCULTURATION &

CAPACITY BUILDING COMPLIANCE & ENFORCEMENT

Pt 1: Effective Governance ORGANIZATION STRUCTURE

10


•  MAMPU •  National Security Council •  Attorney General’s Chambers •  Chief Government Security Office •  Ministry of Science, Technology & Innovation •  Ministry of Defense •  Ministry of Foreign Affairs •  Ministry of Energy, Green Technology & Water •  Ministry of Information, Communication & Culture •  Ministry of Transportation •  Ministry of Home Affairs •  Royal Malaysian Police •  Southeast Asia Regional Center for Counter-Terrorism •  Bank Negara Malaysia •  National Water Services Commission •  Malaysian Communication & Multimedia Commission •  Energy Commission •  Securities Commission Malaysia •  Khazanah Nasional Berhad •  CyberSecurity Malaysia •  MIMOS Berhad •  Standards Malaysia

Pt 1: Effective Governance NATIONAL COORDINATION COMMITTEE








Innovation



Innovation






1 2345678

12



Cyber Specific Laws Specific legislation governing

online matters

• Communications and Multimedia Act 1998 • Optical Disk Act 2000 • Computer Crimes Act 1997 • Digital Signature Act 1997 • Telemedicine Act 1997 • Electronic Commerce Act 2006 • Electronic Government’s Activities Act 2007 • Personal Data Protection Act 2010

Non Cyber Specific Laws Legislation that may be used to

regulate online matters whenever applicable

• Copyright Act 1987 • Sedition Act 1948 • Penal Code • Defamation Act 1957

Pt 2: Legislative & Regulatory Framework CYBER LAWS OF MALAYSIA

Reduction of & increased in success in, the prosecution in

cyber crime.


A study on the laws of Malaysia to accommodate legal challenges in the Cyber Environment

14

Pt 2: Legislative & Regulatory Framework CYBER LAW REVIEW STUDY


Pt 2: Legislative & Regulatory Framework CYBER LAW REVIEW STUDY


Pt 2: Legislative & Regulatory Framework AMENDMENTS – EVIDENCE ACT


DIGITAL FORENSICS LAB ANALYZE & INVESTIGATE

DIGITAL EVIDENCE

DATA RECOVERY LAB RECOVER CORRUPTED &

DELETED DATA

EXPERT DEVELOPMENT LAB

PLATFORM FOR RESEARCH & JOB ATTACHMENT

EVIDENCE PRESERVATION FACILITY

A SECURE ENVIRONMENT FOR DIGITAL EVIDENCE

CyberCSI™

Pt 2: Legislative & Regulatory Framework DIGITAL FORENSICS


Notification of Declaration under Subsection 399(2) - Digital Forensics Analyst

Pt 2: Legislative & Regulatory Framework EXPERT WITNESS


MODULES LEVEL

1 Information Security Essentials Fundamental

2 ISMS Essentials Fundamental

3 Digital Forensics Essentials Fundamental

4 Forensics on Internet Application Fundamental

5 Digital Forensics for First Responder

Intermediate

DIGITAL FORENSICS MODULES

Duration: 11 days

19

Pt 2: Legislative & Regulatory Framework DIGITAL FORENSICS TRAINING








Innovation



Innovation






1 2345678

20



§  Guidelines: Computer Security Handbook, ICT Outsourcing Information Security

§  Best practices: Social Networking, Protecting Your Mobile Device

§  3rd Party Information Security Assessment Guideline §  Wireless Local Area Network (LAN) Security Guideline

§  Joint development of the National Cyber Crisis Management Plan (NCCMP) with National Security Council.

§  Business Continuity Management (BCM) implementation for organization.

§  Development of Information Security Standards at the national level.

§  Information Security Management System (ISMS) certification programme for Critical National Information Infrastructure (CNII) agencies.

§  Develop Information Security Guidelines and Best Practices.

21

Pt 3: Cyber Security Technology Framework SECURITY MANAGEMENT BEST PRACTICES

Expansion of national certification scheme for infosec mgmt &

assurance


Phase 2 – Building the Infrastructure SECURITY STANDARDS

MODULES LEVEL



3 ISMS Implementation Intermediate

4 ISMS Internal Auditor Advance

ISO 27001 Information Security Management System

Duration: 9 days

ISO/IEC 27001 Information Security Management – Confidential Information Remain Confidential

22


SECURITY ASSURANCE OFFERS 2 TYPES OF SERVICE FOR THE ENHANCEMENT OF NATIONAL INFORMATION SECURITY ASSURANCE :

MyVAC (National Vulnerability Assessment Center)

MySEF (Malaysian ICT Security

Evaluation Facilities)

•  Vulnerability Assessment And Penetration Testing Services for CNII sectors

•  Common Criteria (CC) evaluation service

•  Security Assessment for control system (SCADA/DCS)

•  ICT Product Security Assessment (IPSA) service

•  Common Criteria (CC) Protection Profile (PP) evaluation service

23

Pt 3: Cyber Security Technology Framework ASSESSMENT & ASSUARANCE


CERTIFICATE AUTHORISING PARTICIPANTS

CERTIFICATE CONSUMING PARTICIPANTS

•  Participants that represent a compliant Certification Body

•  Mutually recognizes certified products/systems produced by the Certificate Authorising Participants based on ISO/IEC 15408

Participants that have a national interest in recognising CC certificates produced by the Certificate Authorising Participants based on ISO/IEC 15408

CCRA is an international recognition arrangement for Common Criteria Standard (ISO/IEC 15408)

CyberSecurity Malaysia is the National Certification Body - Malaysian Common Criteria Certification Body (MyCB) ITALY JAPAN NETHERLANDS

SWEDEN TURKEY

NEW ZEALAND

AUSTRALIA

UNITED KINGDOM

CANADA FRANCE

UNITED STATES

GERMANY

SPAIN REP. OF KOREA NORWAY

AUSTRIA GREECE FINLAND DENMARK CZECH REP

HUNGARY SINGAPORE PAKISTAN ISRAEL INDIA

24

Pt 3: Cyber Security Technology Framework COMMON CRITERIA RECOGNITION ARRANGEMENT


1.  International collaboration in the area of CERT in the Asia Pacific region and OIC countries.

2.  Coordinate the implementation of the NCSP. 3.  Secretariat for the Operational Task Force under National

Security Council. 4.  Secretariat for the NC3 chaired by National Security Council

1.  Cyber media research 2.  Cyber War Research 3.  Development of National Cryptography Policy 4.  Cyber Laws Study 5.  Co-Chair for CSCAP Study Group on Cyber Security that includes the

Issues of Transnational Cyber Crime 6.  Co-Leading Nation for ASEAN Regional Forum in Counter

Radicalization Work Plan for Counter-Terrorism & Transnational Crime in collaboration with Ministry of Foreign Affairs

25

Pt 3: Cyber Security Technology Framework STRATEGIC RESEARCH & ENGAGEMENT


CYBER CONFLICTS

Tactics •  Cyber espionage •  Web vandalism •  Propaganda •  Gathering data

• Distributed Denial-of-Service Attacks •  Equipment disruption •  Attacking critical infrastructure • Compromised Counterfeit Hardware

(source: http://en.wikipedia.org/wiki/Cyberwarfare)

26

Emerging Threats

Pt 3: Cyber Security Technology Framework STRATEGIC RESEARCH & ENGAGEMENT








Innovation



Innovation






1 2345678

27



Pt 4: Culture Of Cyber Security & Capacity Bldg IT’S ABOUT PEOPLE


An area where today’s youth are at greatest risk is social networking http://www.jdpower.com/autos/car-photos/ Identity-Theft/Identity-Theft/2009

Pt 4: Culture Of Cyber Security & Capacity Bldg PEOPLE – WEAKEST LINK


‘National Strategy for

Cyber Security Acculturation and Capacity

Building Program’

Pt 4: Culture Of Cyber Security & Capacity Bldg CYBER SECURITY ACCULTURATION & CAPACITY BLDG

Reduced no. of InfoSec incidents through improved awareness & skill

level


§  Man behind the machine is the critical factor

Current Ratio of

Professionals : Internet User 1 : 8,924

Target 1:1,500 (Conduct Study to determine number of Info Pro)

"   Help nurture the information security workforce with the required knowledge and skills by providing information security competency and capability courses and certifications.

"   Through strategic collaborations with reputable organizations in Malaysia and international accreditation institutions this program is accomplished.

"   Malaysia requires sufficient skilled people to deal with sophisticated cyber threats & uncertainty of cyber space.

31

Pt 4: Culture Of Cyber Security & Capacity Bldg CAPACITY BLDG – INFOSEC PRO DEVELOPMENT


PROFESSIONAL COURSES • Business Continuity Management Professional Certification (BCLE2000)

• Certified Information System Security Professional (CISSP) CBK Review Seminar

• Certified Secure System Lifecycle Professional (CSSLP)

• ISO 27001 Lead Auditor • Professional in Critical Information Infrastructure Protection (PCIP)

• System Security Certified Practitioner (SSCP) CBK Review Seminar

SPECIALIZED COURSES • Digital Forensics for Law Practitioner • Forensics on Internet Applications • ISO 27001 Internal Auditor

INTERMEDIATE COURSES • Cryptography for Information Security Professional • Digital Forensic for First Responder • Incident Response & Handling for Computer Security & Incident Response Team (CSIRTS)

• Incident Handling and Network Security Training (IHNS)

• ISO 27001 Implementation • MyCC 2.0 - Foundation Evaluator Training

FUNDAMENTAL COURSES • Business Continuity Management For Beginners • Cryptography for Beginners • CSM Security Essential Training • Data Encryption for Beginners • Digital Forensics Essential • Google-Fu Power Search Technique

32

Pt 4: Culture Of Cyber Security & Capacity Bldg TRAINING COURSES


CyberSecurity Malaysia’s

CyberSAFE Cyber Security Awareness For Everyone

PROGRAM

•  It is everyone’s responsibility •  To explore smart partnership CyberSecurity Malaysia and YOU

Pt 4: Culture Of Cyber Security & Capacity Bldg AWARENESS








Innovation



Innovation






1 2345678

34



Development of the National R&D Roadmap for Self Reliance in Cyber Security Technologies is facilitated by MIMOS Berhad, a Government R&D institution

35

To Identify Technologies That Are Relevant and Desirable by the CNII

To Promote Collaboration with International Centres

of Excellence

To Provide Domain Competency Development

To Nurture the Growth of Local Cyber Security

Industry

To Update the National R&D Roadmap

Pt 5: Research & Development Towards Self Reliance R & D ROADMAP

Acceptance & utilization of local developed info security

products








Innovation



Innovation






1 2345678

36



•  To study the need to introduce a Cyber Security Safety Standards Act to ensure mandatory compliance by CNII to ISMS Standards (ISO27001) and other selected standards.

•  Audit and certification of ISMS compliance of CNIIs within 3 years from the date of Cabinet mandate 24 Feb 2010

Ensure Mandatory Compliance to Informa;on

Security Standards by CNII

• Government Agencies dialogue session to implement ISMS compliance for CNIIs

• ISMS (ISO/IEC-27001) training and workshops for CNIIs and regulatory bodies

• CNII Information Security Standards Adoption Program

Capability and Awareness

Programmes for CNIIs

• Local Developers to obtain products certification under ISO 15408 (Common Criteria EAL2)

• Develop Cyber Security Industry Directory to list Malaysian IT security companies, products and IT security professionals

• Cyber Security Trade Event to promote locally developed products under Common Criteria (Nov2012)

Facilitate Industry Development

In progress

Case for change: n Cabinet mandate for CNII organizaTons to obtain ISMS cerTficaTon within 3 years 24 Feb 2010

n CriTcal NaTonal InformaTon Infrastructure (CNII) exposed to cyber threats

n  Lack of compliance to informaTon security standards (eg ISMS 27001) amongst CNII

n Weak ecosystem of local industry to support the requirements of CNII e.g. Products cerTfied under Common Criteria

RecommendaTon: n Ensure mandatory compliance of ISMS Standards for CNII

n Capability and Awareness for CNIIs n  Facilitate Industry Development * CollaboraTon with PEMANDU (Performance Management and Delivery Unit) SRI (Strategic Reform IniTaTve)

In progress

In progress

Pt 6: Compliance & Enforcement STANDARDS & GUIDELINES

Strengthen or include infosec enforcement role in all CNII

regulatorsI








Innovation



Innovation






1 2345678

38



Number of cyber security incidents referred to CyberSecurity Malaysia 31 Aug 2012 (excluding spams)

INCIDENTS

§  Intrusion §  Intrusion Attempt §  Spam §  DOS §  Cyber Harassment §  Fraud §  Content Related §  Malicious Code §  Vulnerabilities Report

39

As of 30th April 2013

CNII resilience against cyber crime, terrorism, info warfare

Pt 7: Cybersecurity Emergency Readiness CYBER INCIDENTS 1997 - 2012


0

100

200

300

400

500

600

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

30 58 49 48

91 105 137

190 172 131

59 13 5 20 45

41

116

160

212

428 442

349

Forensic Analysis

Data recovery

•  75% cases - from law enforcement agencies (PDRM, BNM, AG, SKMM etc). •  Types of cases – Financial Fraud, Sexual Assault, National threats, etc.

[ As of 31st August 2012 ]

43 63

93 69

132

221

297

600

402

573

408

40

Pt 7: Cybersecurity Emergency Readiness DIGITAL FORENSICS CASES (2002 – 2012)


Cyber999™ Cyber Early Warning Services 1. Incident Handling

2. Cyber Early Warning

3. Technical Coordination Centre

4. Malware Research Center

§  Email o  [email protected] o  [email protected]

§  Phone o  +603 8992 6969 o  1 300 88 2999

§  Fax o  +603 8945 3442

§  SMS o  15888 “Cyber999 Report”

§  Mobile (24x7) o  +6019 266 5850

§  Online – http://www.mycert.org.my

§  Office Hours – MYT 0830 - 1730

Pt 7: Cybersecurity Emergency Readiness COMPUTER EMERGENCY RESPONSE TEAM


Emerging Threats

LebahNet Project

Malware Research

Threats VisualizaTon

Advisory & Alerts

EXPLOIT

ADVISORIES & ALERTS §  Software vulnerabilities (advisories) §  0 day vulnerabilities §  Patch & upgrades

OUTBREAKS ALERTS §  H1N1 flu §  Trojan-Michael Jackson Death §  Conficker §  IE/Acrobat/Office/Flash 0 day

MA-321.072012 : MyCERT Alert - Microsoft Security Bulletin Summary For July 2012 21/06/2012 MA-320.062012 : MyCERT Alert - Critical Vulnerability in Microsoft XML Core Services 19/06/2012 MA-319.062012 : MyCERT Alert - Increase in Web Defacement Incidents 13/06/2012 MA-318.062012 : MyCERT Alert - Microsoft Security Bulletin Summary For June 2012 13/06/2012 MA-317.062012 : MyCERT Alert - Oracle Java SE Critical Patch Update Advisory - June 2012 11/06/2012 MA-316.062012 : MyCERT Alert - Critical Vulnerability in MySQL and MariaDB 11/06/2012 MA-315.062012 : MyCERT Alert - Critical Vulnerability in Adobe Flash Player 07/06/2012

Pt 7: Cybersecurity Emergency Readiness MALWARE RESEARCH CENTER


Incident Handling

Technical Coordination

Centre

MODULES LEVEL



3 Incident Handling & Network Security (IHNS)

Intermediate

4 Ethical Hacking and Penetration Testing

Intermediate

5 Security Audit and Assessment Intermediate

INCIDENT HANDLING MODULES

Duration: 13 days

43

Pt 7: Cybersecurity Emergency Readiness COMPUTER EMERGENCY RESPONSE TEAM








Innovation



Innovation




•  International Collaboration Ministry of

Communications & Multimedia

1 2345678

44



APCERT

OIC-CERT

ENGAGE Participate in relevant cyber security meetings and events to promote Malaysia’s positions and interests in the said meetings and events

PRIORITIZE Evaluate Malaysia’s interests at international cyber security platforms and act on elements where Malaysia can get tangible benefits and voice third world interests

LEADERSHIP Explore opportunities at international cyber security platforms where Malaysia can vie for positions to play a leadership role to project Malaysia’s image and promote Malaysia’s interests

Pt 8: International Collaboration MISSIONS

International branding on CNII protection with improved awareness & skill level


q  The National Cyber Security Policy is a holistic approach for cyber defence of the CNIIs and the nation.

q  Encouraging Public Private Cooperation as essential element in mitigating cyber threats

q  Commitment from stakeholders is critical in ensuring the success of the policy’s implementation.

46

NATIONAL CYBER SECURITY POLICY In Conclusion

Malaysia's National Cyber Security Policy

Technology

Transcript of Malaysia's National Cyber Security Policy